MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da26d05e19c69265cbbd35077fc5cb7498909d249865621544fada43d9aef8bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	da26d05e19c69265cbbd35077fc5cb7498909d249865621544fada43d9aef8bb
SHA3-384 hash:	c6f9f63aa847a048d3330c975f54acda68f4f4f10e8ae87d6286bc1fb781b1573b5710ccb2c22f0f12f67ac5af869451
SHA1 hash:	1037cc74278ca295d4adfdebdf1f3655600431e5
MD5 hash:	e8aa7c58523aeb4f383945649b36bf6f
humanhash:	harry-failed-eight-beer
File name:	DA26D05E19C69265CBBD35077FC5CB7498909D2498656.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	1'679'360 bytes
First seen:	2022-09-28 22:50:57 UTC
Last seen:	2024-07-24 22:03:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	21a2465d56c70c062b5eae0fca05fe67 (1 x Pony)
ssdeep	6144:63GBCuToFmxeCO6gnaYrPmaMT92bwQfV5RrvtLpcr79uV7RrevpV2WSjHT+X6q6x:xBwPmaMcVncrQV7Rivp8WSjH6X4x
TLSH	T1C67516C5B884C956DAA052F25F88C4FE2C127C65DCEA992F75E9F70F01BD4F2446A2E0
TrID	74.8% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 9.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	79fcf43969f0f8f0 (1 x Pony)
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://drvo-namjestaj.hr/jpeg/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://drvo-namjestaj.hr/jpeg/gate.php	https://threatfox.abuse.ch/ioc/856342/

Intelligence

File Origin

# of uploads :

# of downloads :

409

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Pony

Link:

https://www.capesandbox.com/analysis/314522/

Detection(s):

Win.Malware.Fareit-7004554-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Sending a custom TCP request

Reading critical registry keys

DNS request

Sending an HTTP POST request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Query of malicious DNS domain

Brute forcing passwords of local accounts

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6334cfe6d089a0c15dd2a367/reports/029e0fde-6c50-401b-a3a1-a87d14ca6620/overview

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9de2273f-1e85-4554-8a9b-03fcc526bab3

Result

Threat name:

Lokibot, Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1079613

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected Lokibot Info Stealer

Detected unpacking (changes PE section rights)

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da26d05e19c69265cbbd35077fc5cb7498909d249865621544fada43d9aef8bb/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2019-06-28 18:07:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3itnaxqzy2jgls55gudx7rolosmjbhjetbswefke7lnehwno7c5q._file

Verdict:

malicious

Label(s):

pony

cloudeye

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony collection discovery rat spyware stealer

Link:

https://tria.ge/reports/220928-2stkesadaq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks installed software on the system

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

Malware Config

C2 Extraction:

http://drvo-namjestaj.hr/jpeg/gate.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/671c12f1-6bf8-451b-afb7-830db4e7cd96

Unpacked files

SH256 hash:

da26d05e19c69265cbbd35077fc5cb7498909d249865621544fada43d9aef8bb

MD5 hash:

e8aa7c58523aeb4f383945649b36bf6f

SHA1 hash:

1037cc74278ca295d4adfdebdf1f3655600431e5

Link:

https://www.unpac.me/results/2720dbe1-128e-4e91-af9c-46e94ce5eabb/

Malware family:

Pony

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/da26d05e19c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/da26d05e19c69265cbbd35077fc5cb7498909d249865621544fada43d9aef8bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/314522/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample