MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca
SHA3-384 hash:	5913fd570ac76e213e5ca66abd52d2458ce46779db35755a41ed763ab66ff7bed3b54095604cb8d5ff096f80221e2c03
SHA1 hash:	fbcabd564c13287b0a0d42026c77006f0c6e7983
MD5 hash:	b70279fc1c857dc76a50f77a46460657
humanhash:	hydrogen-uniform-mobile-december
File name:	Tovar na vozvrat za etot mesyac.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	1'165'328 bytes
First seen:	2020-07-09 14:46:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4dd32c32f17a30996f03854030919577 (1 x Pony)
ssdeep	3072:05D0yNTuo0ILAuHv5B6YK/5AhNSiMM+WSz48sBt5gWDeKsgnlYcrgx+ICPKGy3yF:05D0ouGUYv5MN5ILMUcsBAWDepgnlujq
Threatray	146 similar samples on MalwareBazaar
TLSH	4145910533A7DD55FDB63A399A3689B8487AFC51E970CA6F32D03D0F3871A809875362
Reporter	abuse_ch
Tags:	Downloader.Pony exe geo Pony RUS

abuse_ch

Malspam distributing Downloader.Pony:

HELO: smtp.ugramail.ru
Sending IP: 217.20.80.59
From: Полина Мамонтова <analitika@ugramail.ru>
Reply-To: Полина Мамонтова <tarasovaek59@rambler.ru>
Subject: Заявка, возврат июль
Attachment: Tovar na vozvrat za etot mesyac.001 (contains "Tovar na vozvrat za etot mesyac.exe")

Pony C2:
http://172.105.48.152/p/z05857687.php

Intelligence

File Origin

# of uploads :

# of downloads :

492

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23936/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Creating a file in the %temp% directory

Connection attempt

Detection:

pony

Link:

https://mwdb.cert.pl/sample/eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-07-09 14:48:08 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5wtlyj3zrnzdbvr4v2jclrdgwz5qlz4iwmk6jxcehrb46g5kx7fa._file

Result

Malware family:

pony

Score:

10/10

Tags:

spyware discovery rat stealer family:pony

Link:

https://tria.ge/reports/200709-16spvfmhbn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Runs ping.exe

Checks for installed software on the system

Accesses cryptocurrency wallets, possible credential harvesting

Reads user/profile data of web browsers

Deletes itself

Reads data files stored by FTP clients

Pony,Fareit

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

rar 986462b76b2e496caa135b897e0329909bc2547dfbd4cbec97ee0c344e3df4df

Pony

exe eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca

(this sample)

Dropped by

MD5 2f9945befaa4a7d58a5efd17e812dc2d

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/23936/

Dropped by

SHA256 986462b76b2e496caa135b897e0329909bc2547dfbd4cbec97ee0c344e3df4df

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample