MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236
SHA3-384 hash: 5d514ded0168d51fb39b89c8b644426eeb0bf3a084608764e1ba1f385adb3b5fbb22c16f3f3865d221f54f37967cffd2
SHA1 hash: 5eb88cd730a0c2c69a3ff7e7876817b9d57aa0ab
MD5 hash: 3a990e8b280a4398f8f34c2bc06220a0
humanhash: autumn-harry-florida-earth
File name:PI.bat.exe
Download: download sample
Signature Pony
Create hunting rule
File size:722'944 bytes
First seen:2021-07-12 09:40:36 UTC
Last seen:2021-07-12 10:58:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:v6IsnXPlPFYQRZXN5GnTOdU+CHpZsz8yAKyFcXKaXAy2JBENoL0Z1KDJL3pMGjYm:SIIXPlP6QRqDKqcaQ0woYoBd7
Threatray 260 similar samples on MalwareBazaar
TLSH T185F41A2833BD9249F13BFFB59F60A6049FE576669725D14E3DD0428E1420E80EE76A33
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://gulshanti.com/hybrid/panel/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://gulshanti.com/hybrid/panel/gate.php https://threatfox.abuse.ch/ioc/159748/

Intelligence

File Origin
# of uploads :
2
# of downloads :
558
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI.bat.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 09:43:13 UTC
Tags:
trojan pony fareit
Link:
https://app.any.run/tasks/a4f98956-f9eb-4bc7-add8-7d30bcec7d0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171029/
Detection(s):
SecuriteInfo.com.Artemis3A990E8B280A.12632.16657.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b3c5e7e-9c14-4788-8609-08b0501d4901
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/814689
Signature
Detected Lokibot Info Stealer
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 09:41:04 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=642uz44i2qpdd44x4kva6qcunxoqxeu2rkxvz3l26muiv3bu6i3a._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
25901472b94be9f035091caec12bd3f9b3e362322171cacf8d253d33475b053a
Pony
479c2742f5d9d61607933d59d483390286c627282b2f820d50aa72bb08fd536f
Pony
5ee70bdf6cfa9c2742889a7c724fa6940e40c64d6ab420303ea6e031ae3d6ce4
Pony
996059b3ab129e61f18969def21575cfefe1c32eb496720694f4adc342882b33
Pony
c4c21a36bd1f32a71dd00f0bd2fa78c9ab6cc9df30de77f4f99cb5d0da080cb3
Pony
d634843da16ff74a676a748989cd01916cd86278dc96c0d45fa9872dd78ba251
Pony
d91de77d646e5e9056f8dd3bba222fa5e32ed43c6a2f95543284f201a10aab13
Pony
f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5
Pony
f272777ee69921d167509fdf27ad55f4deb671a9063854d63bef679aaa31d1ba
Pony
fe2853104646e2bd3446a2965268b953f728d3cdc941e8add4760975e2d12e86
Pony
+ 250 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210712-dvn4ttx26s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Malware Config
C2 Extraction:
https://gulshanti.com/hybrid/panel/gate.php
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/7be5e5e6-253d-4529-906c-e7482fa8938a/
SH256 hash:
6fa82a7f645dedfd0823f65bd7a5ac9220a8602d1b6b02f35d07e70e5b7d123a
MD5 hash:
9928ad4ff3e217c5207ab3a9511d53af
SHA1 hash:
4b945d62f27a0b3d47a4e2e925bc6445c4fb0833
Link:
https://www.unpac.me/results/7be5e5e6-253d-4529-906c-e7482fa8938a/
SH256 hash:
b944eb459f1e9dde988fc3c6fbcbb416129d33ef78d2a3bfa9ada7f9fb5c0267
MD5 hash:
f0dbdaa9963d51ad41c8207906115a1b
SHA1 hash:
3b1d5618dfd3030b4a162aa484cf8e80831b50f4
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/7be5e5e6-253d-4529-906c-e7482fa8938a/
SH256 hash:
ca35611d2c1fc65de9fbde52c9f91ce5b952ede5ebd796cea6240dd6562aa802
MD5 hash:
9b1024ef3e978eed051d016e81f4162c
SHA1 hash:
2a1d7612c1606a283029bb783b18319d636309b0
Link:
https://www.unpac.me/results/7be5e5e6-253d-4529-906c-e7482fa8938a/
SH256 hash:
f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236
MD5 hash:
3a990e8b280a4398f8f34c2bc06220a0
SHA1 hash:
5eb88cd730a0c2c69a3ff7e7876817b9d57aa0ab
Link:
https://www.unpac.me/results/7be5e5e6-253d-4529-906c-e7482fa8938a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171029/

Comments