MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebadbebdb632cdc59b9333f56295ea99080248807a1d6f35c086159c8b2329e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebadbebdb632cdc59b9333f56295ea99080248807a1d6f35c086159c8b2329e6
SHA3-384 hash: 55c3567fcfc659ca493c16611f94495f081515eef75b11260bd7f0d3602a51fa7b580c52df6e35a01c7dcdb798027c50
SHA1 hash: b5dabdb3085c89a2e0e2806fa350a6a6423639c9
MD5 hash: d39da7377015f8a81f92344c28072b6f
humanhash: sixteen-florida-zulu-oscar
File name:PO200200017-2494.exe
Download: download sample
File size:276'480 bytes
First seen:2020-05-11 15:15:01 UTC
Last seen:2020-05-11 16:10:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:2BDWMlygMkCVlZZIeAwirKCwKvrbMKSSJjk:sDPyg01ir5OSJ
Threatray 221 similar samples on MalwareBazaar
TLSH 3C444A0523BC2B26E07A9BF558B0A450C7FA76277174E3AD4DD260CA16E2F80CD15F6B
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: main.oal.com.my
Sending IP: 103.8.26.32
From: Muhammad <nickfinlay@carpetlinedirect.co.uk>
Subject: Re: Purchase Order
Attachment: PO200200017-2494.ace (contains "PO200200017-2494.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.48634.1200.18964.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 02:30:09 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ow35pnwglg4lg4tgp2wffpkteeaeseapiow6noaqykzzczdfhta._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
2dba22bb151cb9c5e35304b1a6215374d6857898d217b721f9b5a6e8d973576d
6168fd7705599e810cba4c0954acb5cdfa8e03ae92ed679a9e538a09da08a7de
70b3e86ab4bda10e5ccb441fb356f193ee69f709b9d827b8f1bfd0077a64316e
754b203cb7ca6224a217e4187151adb437574b95fe15fd1bb7ab887cffad8bce
78c42daa9bd978e2e2ca039a54f167f5090681124f402fa9c9bd69a2dd23bc26
977c4348075fea725b12f615548b5c586ad1abbaa00c9c51b972278f46adacc5
d1b6aaf16fc5e9ffbe13411dfbefe5c0c7dd222c727852da8fc9fb39a88ed2ae
da6a5a35ad94ccafa9da5cf5579033e0df382f567eed47793141ed511c8f2920
f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89
f79be9655ab5fa236f5b81bc4af8538e91e4dbb3f6ee25d14891c6bec26681ae
+ 211 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/201109-x116am71n2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f61987e8bda53f305099ac1870b740bb

Executable exe ebadbebdb632cdc59b9333f56295ea99080248807a1d6f35c086159c8b2329e6

(this sample)

  
Dropped by
MD5 f61987e8bda53f305099ac1870b740bb
  
Delivery method
Distributed via e-mail attachment

Comments