MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5
SHA3-384 hash: 585857c4548cfeec06a8d01d8f51866609022629e243c20a8b42d1dc5b599a63b3248279dac566d4c4e75743cf561561
SHA1 hash: b9418753627e239e1dcb180cbe714642847feb95
MD5 hash: d1b8361fb0820054e90295f5856d5a24
humanhash: massachusetts-five-carolina-ohio
File name:RFQ-DOCSX.exe
Download: download sample
Signature Pony
Create hunting rule
File size:596'992 bytes
First seen:2021-03-21 06:56:09 UTC
Last seen:2021-03-21 08:41:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DZKQZ3Rv5l79RsnZkV2QJBogK/TXb2+E/W2yBW5RWyP4:Ds8391V2Qkj/TLAtyQR4
Threatray 190 similar samples on MalwareBazaar
TLSH FBC4DF7F259B2633C5B9C7B28CE90447F622A53A35D09A0D64E20B9517A27537CCFB0E
Reporter cocaman
Tags:exe Pony

Intelligence

File Origin
# of uploads :
2
# of downloads :
567
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-DOCSX.exe
Verdict:
Malicious activity
Analysis date:
2021-03-21 06:57:12 UTC
Tags:
trojan pony fareit stealer
Link:
https://app.any.run/tasks/38df2814-119d-42d1-94e4-a6fee1e42937

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.ML.PE-A.28637.19191.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Running batch commands
Stealing user critical data
Enabling autorun by creating a file
Brute forcing passwords of local accounts
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/164b319b-e1d6-4e21-99c4-ecd8539deee9
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647007
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Detected Lokibot Info Stealer
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372472 Sample: RFQ-DOCSX.exe Startdate: 21/03/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 9 other signatures 2->38 8 RFQ-DOCSX.exe 6 2->8         started        process3 file4 24 C:\Users\user\AppData\...\mzXOQqsvvQNic.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\tmpA420.tmp, XML 8->26 dropped 28 C:\Users\user\AppData\...\RFQ-DOCSX.exe.log, ASCII 8->28 dropped 40 Detected Lokibot Info Stealer 8->40 42 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 8->42 44 Tries to steal Mail credentials (via file registry) 8->44 46 2 other signatures 8->46 12 RFQ-DOCSX.exe 1 14 8->12         started        16 schtasks.exe 1 8->16         started        signatures5 process6 dnsIp7 30 tayladanismanlik.com 2.57.89.36, 49716, 80 AS-HOSTINGERLT Lithuania 12->30 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 18 cmd.exe 1 12->18         started        20 conhost.exe 16->20         started        signatures8 process9 process10 22 conhost.exe 18->22         started       
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-21 06:55:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cedvxc3qi3pocobsdk754epjpgkkvhz4vwhkgpldu2dkm2izpsq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
46f8fc3fce1ea9a75ddf3756a7bcdd1fea6b5d86717dfef472a4177d4bb8ab8e
Pony
4fb8dc37db10133ce52d868244771f6232f6ef9deb20fd4354af1ef3b36e2149
Pony
5623df29bdeb9756ab512f3c77dd11725878939a0b8d98726798d8604ab60dfa
Pony
859936cf64b25cbf05d8d910b98ff8ebbb721649c9c01652787c27a38c8000d7
Pony
87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8
Pony
a8748c739e91e0be7301e29fdc33f6054a0db6f6b949dbedcc188b3dc97be92c
Pony
b01bb1b0f8138c7ce50860cd5218554d6b049d0862ec48a4e2076c6e6e309bed
Pony
cf857e8a28a380c5e001013c6fd13a67f02782a84829801b12079048e8d86cf0
Pony
f055effd1f500e383d3d28270462d1930f7234d893d447ad47eed90dfdccabc4
Pony
fb8928337f3d9931fe26b1b891793360a61c93ef63af683621ea88f1707e9695
Pony
+ 180 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210321-vqbwsmftks/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
57508e99363f2f41d4d6f484e67a4afb4e75b9245c7f2841068d7cf144107710
MD5 hash:
e652a8f6723d62d5ab3a3d632d958217
SHA1 hash:
f459fed5027dcd0a436e98149a7ecd7f3d30976d
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/f96e8502-1fb4-460b-8826-181ecef7c6d9/
Parent samples :
f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5
125c88c0a34185a8a6c38ba5e7d461ccc5b9d8a1acc87871a618c3e15c32be42
SH256 hash:
70917caa54bb5ff949c3815ead3879f2ee623e8e4a32cb86e27cdac7f8930ed5
MD5 hash:
5060843eaa2c665b23e119289f2c92f1
SHA1 hash:
8dda95e76a710d117b5f4a23ba9bf207afe38cae
Link:
https://www.unpac.me/results/f96e8502-1fb4-460b-8826-181ecef7c6d9/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/f96e8502-1fb4-460b-8826-181ecef7c6d9/
SH256 hash:
f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5
MD5 hash:
d1b8361fb0820054e90295f5856d5a24
SHA1 hash:
b9418753627e239e1dcb180cbe714642847feb95
Link:
https://www.unpac.me/results/f96e8502-1fb4-460b-8826-181ecef7c6d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

zip 5d5d1e9d0448bf1c30aa02818c5a4573b2af5d387c9cc63bef13bd3410a6ac0f

Pony

Executable exe f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 5d5d1e9d0448bf1c30aa02818c5a4573b2af5d387c9cc63bef13bd3410a6ac0f

Comments