MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
SHA3-384 hash: 52455aa547a0bdca151f0f57aca4bab086240988691e5f4b05399b09b498a371ac090259e4e9d10a0da9b3b66e8ab26b
SHA1 hash: 3be05d9f18b574c5c4eea2f8ab8160c470553aeb
MD5 hash: 6ea14e473644f3bea03782f41d7c5246
humanhash: beryllium-lima-river-cat
File name:6EA14E473644F3BEA03782F41D7C5246.exe
Download: download sample
Signature Pony
Create hunting rule
File size:712'704 bytes
First seen:2021-07-16 23:41:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5902f54cce3bf6c462b28591aa495e5f (1 x Pony)
ssdeep 12288:Bi8B0emlp/lyWf6in0c7PE1pajwY4Cn6YxxE3Y/M:HQlW+Ow4C+
Threatray 2'659 similar samples on MalwareBazaar
TLSH T19CE4FCD0960921C9C9129FF6886EDF7882F8F3751FA0D7871879ED14610A279ED0F92E
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://fuckoff.av.com/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://fuckoff.av.com/gate.php https://threatfox.abuse.ch/ioc/160850/

Intelligence

File Origin
# of uploads :
1
# of downloads :
651
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6EA14E473644F3BEA03782F41D7C5246.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 23:42:44 UTC
Tags:
trojan pony fareit stealer
Link:
https://app.any.run/tasks/bcb14744-994a-4aa4-8d71-16de8c270e2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172297/
Detection(s):
Win.Malware.Nanobot-6918776-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c44ecbdc-d991-4536-920b-f016a03f1360
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817742
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Early bird code injection technique detected
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450153 Sample: SYBUHHofkT.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 74 Multi AV Scanner detection for domain / URL 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 12 other signatures 2->80 12 SYBUHHofkT.exe 2->12         started        15 lsass.exe 2->15         started        process3 signatures4 108 Detected unpacking (changes PE section rights) 12->108 110 Detected unpacking (overwrites its own PE header) 12->110 112 Tries to steal Mail credentials (via file registry) 12->112 114 2 other signatures 12->114 17 SYBUHHofkT.exe 12->17         started        20 SYBUHHofkT.exe 1 12 12->20         started        22 WerFault.exe 23 9 12->22         started        25 WerFault.exe 2 9 12->25         started        27 lsass.exe 15->27         started        29 lsass.exe 15->29         started        process5 file6 66 Injects a PE file into a foreign processes 17->66 31 SYBUHHofkT.exe 1 17->31         started        60 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->60 dropped 62 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->62 dropped 34 lsass.exe 27->34         started        68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->68 70 Tries to harvest and steal ftp login credentials 29->70 72 Tries to harvest and steal browser information (history, passwords, etc) 29->72 signatures7 process8 file9 64 C:\Users\user\AppData\Roaming\...\lsass.exe, PE32 31->64 dropped 37 lsass.exe 31->37         started        82 Early bird code injection technique detected 34->82 84 Maps a DLL or memory area into another process 34->84 39 explorer.exe 34->39         started        signatures10 process11 signatures12 42 lsass.exe 37->42         started        45 lsass.exe 12 37->45         started        47 WerFault.exe 37->47         started        49 WerFault.exe 37->49         started        96 Maps a DLL or memory area into another process 39->96 98 Creates a thread in another existing process (thread injection) 39->98 process13 signatures14 104 Injects a PE file into a foreign processes 42->104 51 lsass.exe 42->51         started        106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->106 process15 signatures16 86 Early bird code injection technique detected 51->86 88 Maps a DLL or memory area into another process 51->88 90 Queues an APC in another process (thread injection) 51->90 54 explorer.exe 51->54         started        process17 signatures18 92 Maps a DLL or memory area into another process 54->92 94 Creates a thread in another existing process (thread injection) 54->94 57 explorer.exe 54->57 injected process19 signatures20 100 Maps a DLL or memory area into another process 57->100 102 Creates a thread in another existing process (thread injection) 57->102
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43/
Threat name:
Win32.Infostealer.Limitail
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 18:39:00 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvs44exwhmolrfyvnybdjed2jfixiojeo5d4y7pvw2mvfqphzzbq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
03be30bf83c48de2fc11174179c6b466cde149f2af7032dbc8bf2036a12b0e1a
Pony
3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d
Pony
5b7418517d962f6a77dedf03d99cf637fd0e202bcab8fa26441461a68b8d7cd2
Pony
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
Pony
82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460
Pony
be41dee9f9b806f5932a9ed56c841d884f4d7f8dafcdd20b4debfe82cc4898d4
Pony
ccea3ec883dbebf01bf405a8191e375dcdad2ab03b4601bd34b5261a3acf3fea
Pony
ea0ce50f66a640eea126b60be3a15f0c0295f07c227e4ef5d68ac043063ce9c3
Pony
eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
Pony
f51fc0ab96d1aee49950b8ca91ef67c330b8593340cc3002513100ac9bf163b0
Pony
+ 2'649 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer upx
Link:
https://tria.ge/reports/210716-8fsl16yk3j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Pony,Fareit
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://fuckoff.av.com/gate.php
http://mrson.dan.al/sddob/gate.php
Unpacked files
SH256 hash:
2765f3d8e874873d4c6edaf278b1b49193488ada22d79be64a98658addad9522
MD5 hash:
d277b8ddafaf3588911c742990106078
SHA1 hash:
f7b20c334aa7e13da07433d09c1bd152796e33eb
Detections:
win_solarbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5810b2b-2a84-460a-a9a2-86a56d71c85d/
SH256 hash:
f23db0ce85f8e55248bca73df91d1ef48918f5d8413929b1dbbb6547ae45e1fc
MD5 hash:
4db5239e84ef6bb2e07b7443ee4f84dc
SHA1 hash:
9f338ac7a2478f93ab9175b04c3c1847e29785b5
Detections:
win_solarbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5810b2b-2a84-460a-a9a2-86a56d71c85d/
SH256 hash:
6adc68f59e723ef9b59145e4454cf4668b596501cd76056f06a164e121faa8f8
MD5 hash:
b78a07442b5a076b952176b347e73bcf
SHA1 hash:
a3b443768cbfa32c091bfb66f374ccbbe29712c7
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5810b2b-2a84-460a-a9a2-86a56d71c85d/
SH256 hash:
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
MD5 hash:
6ea14e473644f3bea03782f41d7c5246
SHA1 hash:
3be05d9f18b574c5c4eea2f8ab8160c470553aeb
Link:
https://www.unpac.me/results/a5810b2b-2a84-460a-a9a2-86a56d71c85d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172297/

Comments