MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e400fef46e21fbd7191240230a5fab9326de9baf0fbebfef8883e5c2662862a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e400fef46e21fbd7191240230a5fab9326de9baf0fbebfef8883e5c2662862a1
SHA3-384 hash: e4fd4fd9da6cef90fb8eedce9a9578f07190178fa92aa81a4b7b6a3154ebf46e27c388f0e303ef6e4d44d3a53b8adf87
SHA1 hash: 383982269defce3f78f88e2e350c298370de7c15
MD5 hash: 7181014e10639594927fd8bb463b9385
humanhash: mississippi-angel-crazy-october
File name:9ac7f17303745d46ab2b0220a7ce0d11.exe
Download: download sample
Signature Pony
Create hunting rule
File size:123'392 bytes
First seen:2020-04-14 08:37:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 085f942c74d09a78dcd2b95a4c1c7441 (12 x Pony)
ssdeep 3072:Lv/qJseQM1pw89ZseOmQ56ql/LetsrVrqh:Lv/uQ6w5eOmyl/LbJr
Threatray 116 similar samples on MalwareBazaar
TLSH 8AC31803F885E0B1C0A1167667C1A770E3FC9D6978768E4AFFCD5D47BDB2696AB12002
Reporter abuse_ch
Tags:exe GuLoader Pony


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://onedrive.live.com/download?cid=0F48D15360733D06&resid=F48D15360733D06%21106&authkey=AChi3rQkGbcN-KA

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Fareit-403
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-14 09:35:37 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
44 of 45 (97.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qap55doeh55ogisiarqux5lsmtn5g5pb67l734iqps4ezrimkqq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff
Pony
4188d06ab94a8883fd4864b3690168649de6f1ae86d8b2c6a2778f7f46a60e02
Pony
59666cf77737eed737d385d0b932284eaa83468cc2c8e240ef2b0977caf029e6
Pony
8e164388aa881f7f4e8ad09602a3ffc52cdd8be2e30308deea4fc9ae1d4651f9
Pony
97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
Pony
a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5
Pony
acf637890b310dfd3d781ea621abdb19c8d3004fc979f5f9914521bbf52ae096
Pony
b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d
Pony
e3d26ec0477d9578aaa7762c27514f91c1c9503935c9d1f48cf34698de2ac9cf
Pony
f89d6fc1b9128ce6c989ffbdac7a0ca8d5693a5282f9a48a6729d4b853e030c7
Pony
+ 106 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Pony

Executable exe 22573d3cc2aac6f587e8554edb2d33bb0b159e0dc74d0a1b1a521233dfa720ba

Pony

Executable exe e400fef46e21fbd7191240230a5fab9326de9baf0fbebfef8883e5c2662862a1

(this sample)

  
Dropped by
MD5 9ac7f17303745d46ab2b0220a7ce0d11
  
Dropped by
MD5 d34d6ac66dc16811e6cfc9ce6145f45f
  
Dropped by
GuLoader
  
Dropped by
SHA256 22573d3cc2aac6f587e8554edb2d33bb0b159e0dc74d0a1b1a521233dfa720ba
  
Dropped by
SHA256 8505891fa2d79725f832801f518138d078f93d873aad7a290cbde084a5c9b4df
  
URLhaus
https://urlhaus.abuse.ch/url/337829/
  
URLhaus
https://urlhaus.abuse.ch/url/338946/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::ObtainUserAgentString
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::OpenProcess
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::GetUserNameA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyA
advapi32.dll::RegOpenCurrentUser
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegOpenKeyA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA

Comments