MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89
SHA3-384 hash:	98151b6c69a4fb15d2f6aedcbf6fe45640d892e40fb881848da5c8ffbcce2948ec24b2b4ea4c24b30fb9c234797a5079
SHA1 hash:	60bbf4133bb8897f6130fcc37bbf9c71139f0fba
MD5 hash:	85e5d033dd4d58642fcfd8894405191e
humanhash:	avocado-harry-california-nitrogen
File name:	qxHaVt5PjLDB5hS.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	216'064 bytes
First seen:	2020-05-10 07:51:48 UTC
Last seen:	2020-05-10 08:45:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:F7eWobjlg+qjKsp7NYtJzpysAW39nCnRxG5ScW:OpgfGKNYvpys7u3GHW
Threatray	135 similar samples on MalwareBazaar
TLSH	E624AE1136EE1635F1766BB149E0E4A2CBBAB66378B4E37E0D5100CA0AE6F50C951F37
Reporter	abuse_ch
Tags:	DHL exe Pony

abuse_ch

Malspam distributing Pony:

HELO: mail.saxco.com.my
Sending IP: 116.0.120.79
From: DHL Customer Service <Italy@dhl-news.com>
Subject: RE: DHL Pakistan (Pvt.) Ltd Copies of original shipping documents
Attachment: Shipping Documents.z (contains "qxHaVt5PjLDB5hS.exe")

Loki C2:
http://23.94.30.178/~brosxciv/k/panel/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.45342.6298.22247.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-10 09:11:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6tseuu5gski2hysuzqi7z5g34jcpib6p6tmrsutkeuzmmvsuvweq._file

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony discovery rat spyware stealer

Link:

https://tria.ge/reports/201109-lv2e548zan/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

zip 04a82e23e8f41f5d6f7c69c4d755cf1e4f22aa144eef15bd71288e111e2f079b

Pony

exe f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89

(this sample)

Dropped by

MD5 d8eb1d5532f2a3a2c1a973580c7d9d96

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 04a82e23e8f41f5d6f7c69c4d755cf1e4f22aa144eef15bd71288e111e2f079b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample