MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7a78d6ceddf6e5bb98d62c2f9e4259fc8a7819ba08e54aca63e3f1b5476a754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	c7a78d6ceddf6e5bb98d62c2f9e4259fc8a7819ba08e54aca63e3f1b5476a754
SHA3-384 hash:	e2a8b6e8c070c6c88f7ef21d2a0fa5c9e5179db0b2dbf34b6f8e9bd8abdce95139c69d473e5246f69ab37adc260e915d
SHA1 hash:	cf18e2f1e3600cd01d2e2057ae0e8d34a3b97fb7
MD5 hash:	42c84e6311867e7dec5e797f70f3b594
humanhash:	massachusetts-diet-oklahoma-july
File name:	Trojan-PSW.Win32.Fareit.cvec-c7a78d6ceddf6e5b.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	153'600 bytes
First seen:	2023-11-03 17:35:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5eb5cc69cb7b917f1b7f303bce429cda (1 x Pony)
ssdeep	3072:og1KnSxN2Kpv963IXNGq+vACl5gtga0xGM+ToFQ5G3SVshtAqblF040DRQ:og1KSxoK1I3IX8z5UT6GM+8oE/EqblqP
TLSH	T14CE302439E9D5DCAF4958130C89F4BB79A767C550A90DB2B9AA4F72E3C35380F11B0AC
TrID	60.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 11.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.0% (.EXE) Win32 Executable (generic) (4505/5/1) 4.6% (.ICL) Windows Icons Library (generic) (2059/9) 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	88b8b0b0b0a4c8f0 (1 x Pony)
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://seelend.com/man/panelnew/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Bifrost-7643040-0

Win.Malware.Ciyz-6878705-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Reading critical registry keys

DNS request

Sending an HTTP POST request

Stealing user critical data

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bifrost fareit packed packed packed pony tofsee upx

Link:

https://www.filescan.io/uploads/65452f9b5f12cb0ef53af8b7/reports/88879f33-193a-4cf0-bc91-56e0a70b8621/overview

Verdict:

Malicious

Labled as:

PonyStealer.Generic

Link:

https://www.hybrid-analysis.com/sample/c7a78d6ceddf6e5bb98d62c2f9e4259fc8a7819ba08e54aca63e3f1b5476a754

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6628a9f1-83de-451b-af7f-b7dea5fdaa5c

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1336844

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Pony trojan / infostealer detected

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c7a78d6ceddf6e5bb98d62c2f9e4259fc8a7819ba08e54aca63e3f1b5476a754

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7a78d6ceddf6e5bb98d62c2f9e4259fc8a7819ba08e54aca63e3f1b5476a754/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2019-02-18 01:18:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 38 (84.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y6ty23hn35xfxomnmlbptzbft7ekpam3uchfjlfghy7rwvdwu5ka._file

Verdict:

malicious

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony collection discovery rat spyware stealer upx

Link:

https://tria.ge/reports/231103-v6l9yahf93/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

Pony,Fareit

Malware Config

C2 Extraction:

http://seelend.com/man/panelnew/gate.php

Unpacked files

SH256 hash:

dac9364530a72b50fbb4af7d26ea8968712fb122e4267834afe5fb9a6431093e

MD5 hash:

7cd75fb363d69b93841b67aaa75415d7

SHA1 hash:

566baa750b4c0cef7d4ec647524c8d68a6e16e50

Detections:

win_pony_auto

win_pony_g0

Link:

https://www.unpac.me/results/cf5a0f05-f9c0-48d2-95ab-d22ef8255dbf/

SH256 hash:

c7a78d6ceddf6e5bb98d62c2f9e4259fc8a7819ba08e54aca63e3f1b5476a754

MD5 hash:

42c84e6311867e7dec5e797f70f3b594

SHA1 hash:

cf18e2f1e3600cd01d2e2057ae0e8d34a3b97fb7

Link:

https://www.unpac.me/results/cf5a0f05-f9c0-48d2-95ab-d22ef8255dbf/

Malware family:

Pony

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c7a78d6ceddf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/c7a78d6ceddf6e5bb98d62c2f9e4259fc8a7819ba08e54aca63e3f1b5476a754

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample