MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1c9b6cc284f964d7a65df78137c404f2d24562354681f64433c7e2f25e30588. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	d1c9b6cc284f964d7a65df78137c404f2d24562354681f64433c7e2f25e30588
SHA3-384 hash:	19c4804841bcfa4cbe088f495768a7adffd36c35bd0e28b4edb1a85b97a9392588048693c8a6030ef6f80674b2bf87ed
SHA1 hash:	b08e8aca4dd650de5ef73f13ebc3eba71da12655
MD5 hash:	140e89a0319fc70aa12f5523cb2df432
humanhash:	thirteen-table-eight-ink
File name:	order details.EXCEL.XLSx.xls.io.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	367'616 bytes
First seen:	2020-07-07 09:22:19 UTC
Last seen:	2020-07-07 13:33:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'693 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	6144:3aZ+aON+Ln3vebw+DFHzSeCO09/diZ5Rg/3oc:Kgcr3veU+BHtCOmiZ5UB
Threatray	216 similar samples on MalwareBazaar
TLSH	F7746B7032B2AFA6C6390BF8912425404FF13A8B653DC2A86DC560DB45F6F449E95FB3
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Malspam distributing Pony:

HELO: wyndhamvale.hosting-cloud.net
Sending IP: 103.146.113.48
From: Martin Hrašč <Andrew.Cohen@materion.com>
Subject: PO
Attachment: order details.EXCEL.XLSx.xls.io.rar (contains "order details.EXCEL.XLSx.xls.io.exe")

Pony C2:
http://kanavagronomy.in/star/panel/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

462

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/22144/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Launching a service

DNS request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Self-deleting of the BAT file

Stealing user critical data

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Brute forcing passwords of local accounts

Deleting of the original file

Detection:

pony

Link:

https://mwdb.cert.pl/sample/d1c9b6cc284f964d7a65df78137c404f2d24562354681f64433c7e2f25e30588/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-07 09:24:07 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2he3ntbij6le26tf354bg7caj4wsivrdkrub6zcdhr7c6jpdawea._file

Result

Malware family:

pony

Score:

10/10

Tags:

spyware discovery rat stealer family:pony

Link:

https://tria.ge/reports/200707-a465v572wa/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Checks for installed software on the system

Reads data files stored by FTP clients

Deletes itself

Reads user/profile data of web browsers

Pony,Fareit

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

rar 864a6d6f6c1e89840aa1ed3671b57c5d9b995ea90f1d8e8594ea3a7a745b7e60

Pony

exe d1c9b6cc284f964d7a65df78137c404f2d24562354681f64433c7e2f25e30588

(this sample)

Dropped by

MD5 8dff8d628866f14fa8c53797b6769b9a

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/22144/

Dropped by

SHA256 864a6d6f6c1e89840aa1ed3671b57c5d9b995ea90f1d8e8594ea3a7a745b7e60

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample