MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed
SHA3-384 hash: 7b9d5d082f3251d5f2c9693b05d549801b5654e546f8dd5b483152608d30e2d12973cee0a3eb6a693ccbbd32eab16561
SHA1 hash: 65113ab42af92d2888005f77a38f319ae7957583
MD5 hash: 3ce66caa331cbde38b08ac28665057ed
humanhash: venus-cup-stream-asparagus
File name:3CE66CAA331CBDE38B08AC28665057ED.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'703'936 bytes
First seen:2021-07-21 21:00:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e0949dfb15fa89be19c9b90d78b6864 (3 x Pony)
ssdeep 12288:R4TZJHtqPRx+9Bvw6VjWVmzafcWf/rKpHGAcKEZUiX:RmJHjDpiNnGpHGFPZUi
Threatray 284 similar samples on MalwareBazaar
TLSH T17375C01317E3BA3FF25A167B0CE801A871467B727EA3CE43B921A8F7855644D335468B
dhash icon 71e8f4f2d2f4f871 (2 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://lokipanelhosting.cf/ax/pony/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://lokipanelhosting.cf/ax/pony/gate.php https://threatfox.abuse.ch/ioc/161788/

Intelligence

File Origin
# of uploads :
1
# of downloads :
598
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3CE66CAA331CBDE38B08AC28665057ED.exe
Verdict:
No threats detected
Analysis date:
2021-07-21 21:04:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ca59a55-7260-4ad3-accf-7e3b1698452b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173173/
Detection(s):
Win.Downloader.LokiBot-9165134-0
Create hunting rule

Win.Trojan.Ponystealer-9843674-0
Create hunting rule

Win.Dropper.Formbook-9875973-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gorgon Group
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/051be155-bd29-41dd-af45-3563d89d0932
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819779
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452187 Sample: ymHl4djAP8.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 5 other signatures 2->35 7 ymHl4djAP8.exe 3 4 2->7         started        11 wscript.exe 1 2->11         started        13 wscript.exe 1 2->13         started        process3 file4 25 C:\Users\user\AppData\Local\...\filename.scr, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\...\filename.vbs, ASCII 7->27 dropped 43 Drops PE files with a suspicious file extension 7->43 15 wscript.exe 1 1 7->15         started        18 filename.scr 11->18         started        20 filename.scr 13->20         started        signatures5 process6 signatures7 45 Creates autostart registry keys with suspicious values (likely registry only malware) 15->45 22 filename.scr 15->22         started        process8 signatures9 37 Antivirus detection for dropped file 22->37 39 Multi AV Scanner detection for dropped file 22->39 41 Machine Learning detection for dropped file 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 06:23:20 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pukgfbatnlivalbynvlupdztbqoyvoim6sntxwsda3fpuhdp3wq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1
Pony
4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b
Pony
504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f
Pony
7bd6671507de8ee2f3e7082691ad10195c01a54486e8f2a976cee1880c2dc4d1
Pony
a3411c5d36b751a2fac427e0132b30b683543013bfea2eb68fe66b7ca914d0eb
Pony
a87c76402548fdef67c57b5c17c18b9650f31afb1f5b57e1b8addea30b976ba5
Pony
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
Pony
d0439ade62a8cc3e52a07cded43c9453326cd427bd7d265d5e15dcf222deaa2c
Pony
e06424448f76d743640e518b0fec78a025fee0856f6afa507e077e5dcc118e3c
Pony
+ 274 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210721-k348crd676/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed
MD5 hash:
3ce66caa331cbde38b08ac28665057ed
SHA1 hash:
65113ab42af92d2888005f77a38f319ae7957583
Link:
https://www.unpac.me/results/7b8d4535-8c7b-47a6-9cab-8af956117e72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173173/

Comments