MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e044b87f7a7d2a17a7dd8939838407a27d07347f93c5c53d5abaefac8413a7b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e044b87f7a7d2a17a7dd8939838407a27d07347f93c5c53d5abaefac8413a7b0
SHA3-384 hash: 39e04c2d1b8a916940232b9644f85255486c0843a8d6f3636bd867f08669e8a533c5722cdd5efba7c2c30e1666e83aad
SHA1 hash: 6467c8dae01e27e5333264bafc36d2393695b3b3
MD5 hash: b00fa3cd2d02a242f2ed266d60d8c707
humanhash: happy-item-november-cat
File name:Bill of lading Draft.pdf.exe
Download: download sample
Signature Pony
Create hunting rule
File size:695'296 bytes
First seen:2020-07-20 07:41:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0uFjZ1q9I6/kldSCGDyaod+ik4g8y3SoDq8l8DgWT:0utZOPW2rEloDq8lI
Threatray 235 similar samples on MalwareBazaar
TLSH FCE4CFC86ADB9405C2EC2EB89E62CA7843347D06F4F7830B2FD5AD4E393A752D854359
Reporter abuse_ch
Tags:exe Maersk Pony


Avatar
abuse_ch
Malspam distributing Pony:

HELO: ip-102-236-static.velo.net.id
Sending IP: 222.165.236.102
From: MAERSK LINE <aming@sinokor.co.id>
Subject: RE: Shipment Update
Attachment: Bill of lading Draft.pdf.gz (contains "Bill of lading Draft.pdf.exe")

Pony C2:
http://sikatech.id/ek/panelnew/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28574/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.6357.607.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390990
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e044b87f7a7d2a17a7dd8939838407a27d07347f93c5c53d5abaefac8413a7b0/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 07:43:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bclq732puvbpj65re4yhbahuj6qond7spc4kpk2xlx2zbatu6ya._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
311d544af2d68a7cc2b4b72fc0daf60b888f060fe185eb1f6771b498d025cf16
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
841e400462718d0c71b30ac5c90768c409485806146ee50bfc2f866913ffcf49
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
b2d579828599ae4e265f77899466dc005e7685b50dcbf6817388ea22d404ab2c
Pony
d01f1ad8b4e08a70621ab7d9907d551bc238a990737e45060252998c059bb0fa
Pony
f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 225 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
discovery rat spyware stealer family:pony
Link:
https://tria.ge/reports/200720-4pn29a5b5j/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Deletes itself
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e044b87f7a7d2a17a7dd8939838407a27d07347f93c5c53d5abaefac8413a7b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

gz 7b4777539983ed715fee4205a3df914b09c1f68fac75ab7e8e15b3d07b51727d

Pony

Executable exe e044b87f7a7d2a17a7dd8939838407a27d07347f93c5c53d5abaefac8413a7b0

(this sample)

  
Dropped by
MD5 fb7a84ff2aebb7057f496b6bc21434b8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28574/
  
Dropped by
SHA256 7b4777539983ed715fee4205a3df914b09c1f68fac75ab7e8e15b3d07b51727d

Comments