MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccc0390af8ad285929138e6c2ac4a5b4a9634e1d174cef926cfc0fc62287f10a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccc0390af8ad285929138e6c2ac4a5b4a9634e1d174cef926cfc0fc62287f10a
SHA3-384 hash: eb99f7a5047dadaceab2eb89114e9dcd0de3bff3580817351d728225af01177a26b6c44eef5c35e8577b18ca50659fbb
SHA1 hash: 4b418d542a4f2123b5f9b41048a064620c846dbd
MD5 hash: cb146c68c50dc75077012a085a3b76d2
humanhash: bulldog-coffee-salami-april
File name:gunzipped.exe
Download: download sample
Signature Pony
Create hunting rule
File size:241'152 bytes
First seen:2021-04-28 05:51:14 UTC
Last seen:2021-04-28 06:00:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:P8+fby6Ki9hDuZisVE0MPmirIvaIwKgsP/jLR7PA:ERVi9hDgix0I1rwbpgsP/jLR7P
Threatray 37 similar samples on MalwareBazaar
TLSH 89346A1231459EB7F2131CBA4C1ED2B215976D24542AA51DB1AE731F18F232223EF76F
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://45.133.1.49/VNBXZ/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.133.1.49/VNBXZ/gate.php https://threatfox.abuse.ch/ioc/19612/

Intelligence

File Origin
# of uploads :
2
# of downloads :
511
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gunzipped.exe
Verdict:
No threats detected
Analysis date:
2021-04-28 05:54:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e0ecc94-92cb-4c72-9332-b0918d051238

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144811/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6887.16330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/700045
Signature
Detected Lokibot Info Stealer
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ccc0390af8ad285929138e6c2ac4a5b4a9634e1d174cef926cfc0fc62287f10a/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 03:39:29 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztadscxyvuufskitrzwcvrffwsuwgtq5c5go7etm7qh4miuh6efa._file
Verdict:
unknown
Similar samples:
411a64366a6b5b9e57bd06dcdccd377ea02d9ed7e8be0f290f0674e3d7ff3215
Pony
588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
Pony
a425f34863ba2e720f7a2af8525132ba97d19a3439947ecd028d8620897e7f2b
Pony
a5c9be9bcb214e69a39285a634f95e43fdf1ad10536bcc9bce84be7edb48cb31
Pony
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
Pony
d4e42f2ff9f01dc12e8549c8ce17832971a927f2c826c32daa3d4e375fd21815
Pony
e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664
Pony
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
Pony
efc2e2029414d0b2c20a5a31a7845d77d3634b9c272363b79ba131b3bff453ee
Pony
fd03c87d6385f3d86400245902c821b496f603105887a05f67eb6948f4c5c085
Pony
+ 27 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210428-sd6ewvha7e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
c0ce2cf58bbfebb58d003bb17a189e96a376b69a89242a19e34e625f32bb78ab
MD5 hash:
d1076d69ad47c02a6baeacd06b13eccd
SHA1 hash:
e08d7460fba61eba7cad811aa0aed4ce6d52efe7
Link:
https://www.unpac.me/results/5733def6-1d61-44d4-89d6-0fc87de7e144/
SH256 hash:
4684c61bee7060dbad4bda2818aa1a8979d9f30fb0fdd2c20044a12cecbeecf0
MD5 hash:
7e62cca5c954325f705cb8f49b181494
SHA1 hash:
b0afd4306498e874769e012648e0b450b0cd451b
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/5733def6-1d61-44d4-89d6-0fc87de7e144/
SH256 hash:
9806402b3d0ff0913ff03a40f879a3e264252393a83e27936600aa2fbf7a70e2
MD5 hash:
a5d907ebc56c8dc01aef5369da0fc3d6
SHA1 hash:
5f4810fb86f9ba97bccc91431caef1591c9d85b4
Link:
https://www.unpac.me/results/5733def6-1d61-44d4-89d6-0fc87de7e144/
SH256 hash:
ccc0390af8ad285929138e6c2ac4a5b4a9634e1d174cef926cfc0fc62287f10a
MD5 hash:
cb146c68c50dc75077012a085a3b76d2
SHA1 hash:
4b418d542a4f2123b5f9b41048a064620c846dbd
Link:
https://www.unpac.me/results/5733def6-1d61-44d4-89d6-0fc87de7e144/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccc0390af8ad285929138e6c2ac4a5b4a9634e1d174cef926cfc0fc62287f10a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144811/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 06:00:53 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program