MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d277383b7a558d59181872c5436d2cf117daef8298004a937ffebddcbd6e956f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d277383b7a558d59181872c5436d2cf117daef8298004a937ffebddcbd6e956f
SHA3-384 hash: 85726b319efbb54ab2e5bf38a2cf1ab72a2c32df8cf04b37d0d6f23663de941824b8a30933278c7154ca27fdd8445b3d
SHA1 hash: c0fef450da583df32cacc7254bc9d9d082201ea7
MD5 hash: 92fdd28d2e1f26c263e3619ac6d2c58d
humanhash: high-fillet-triple-sixteen
File name:1
Download: download sample
Signature Pony
Create hunting rule
File size:71'680 bytes
First seen:2020-05-25 16:57:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d6c03f1f7dc2828b2d560500f84ffb7a (2 x Pony)
ssdeep 1536:J5hxWfkFqTbCnvfpWHYcBXlOhA9dEQevvV4HT/X5cx:zhkcDW4cB1OhMd5/X
Threatray 115 similar samples on MalwareBazaar
TLSH 17633A13B491A0F2C1E22B74B7C46311F3FE596578B69E46EF6D2A457DF2683AB02043
Reporter threathive
Tags:Pony

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Fareit-403
Create hunting rule

Win.Trojan.Generic-6296801-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 17:35:26 UTC
File Type:
PE (Dll)
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00
Pony
25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff
Pony
52a24d465b42683adfa19511061a7b6a3aa3ec87c375c8a710ec3983ddbe0431
Pony
a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea
Pony
bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
Pony
cb8b6228dc596af613b8a5fb2b0ac79326ec4265ca8f4f5dc796f9b8fa4d287e
Pony
d768486542d55538cb90b21c8563f395ed3d5148733e23a67bc5dba74b811233
Pony
e3d26ec0477d9578aaa7762c27514f91c1c9503935c9d1f48cf34698de2ac9cf
Pony
fa8e5817b7a1e2a8129b1c6df41ccc378b6e44372de4c27edba38d6a9d1d40d1
Pony
fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b
Pony
+ 105 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/201109-rv5yy16zmj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pony
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify Pony
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/368182/
  
URLhaus
https://urlhaus.abuse.ch/url/368183/
  
URLhaus
https://urlhaus.abuse.ch/url/368184/
  
URLhaus
https://urlhaus.abuse.ch/url/368181/

Comments