SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pony (Back to overview)

Pony

aka: Siplog, Fareit

Actor(s): Cobalt

URLhaus        

There is no description at this point.

References
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cbab642, author = {SecureWorks}, title = {{GOLD EVERGREEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2020-05-23} } GOLD EVERGREEN
CryptoLocker Pony Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2019-08-10Check PointOmer Gull
@online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-30int 0xcc blogRaashid Bhat
@online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection
Pony
2017-06McAfeeMcAfee
@techreport{mcafee:201706:mcafee:9fb6783, author = {McAfee}, title = {{McAfee Labs Threats Report}}, date = {2017-06}, institution = {McAfee}, url = {https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf}, language = {English}, urldate = {2020-01-06} } McAfee Labs Threats Report
Pony
2016-08UperesiaFelix Weyne
@online{weyne:201608:analysis:10758de, author = {Felix Weyne}, title = {{Analysis of a packed Pony downloader}}, date = {2016-08}, organization = {Uperesia}, url = {https://www.uperesia.com/analysis-of-a-packed-pony-downloader}, language = {English}, urldate = {2020-01-06} } Analysis of a packed Pony downloader
Pony
2015-02-25Github (nyx0)nyx0
@online{nyx0:20150225:pony:17f5bd3, author = {nyx0}, title = {{Pony Sourcecode}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/Pony}, language = {English}, urldate = {2020-01-09} } Pony Sourcecode
Pony
Yara Rules
[TLP:WHITE] win_pony_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_pony_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83f8ff 7526 ff7508 e8???????? 0bc0 7507 }
            // n = 7, score = 800
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   7526                 | jne                 0x28
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   7507                 | jne                 9

        $sequence_1 = { 8b7d08 47 47 2bd2 b900010000 88143a fec2 }
            // n = 7, score = 800
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   47                   | inc                 edi
            //   47                   | inc                 edi
            //   2bd2                 | sub                 edx, edx
            //   b900010000           | mov                 ecx, 0x100
            //   88143a               | mov                 byte ptr [edx + edi], dl
            //   fec2                 | inc                 dl

        $sequence_2 = { eb25 833d????????01 751a 68???????? e8???????? 50 68???????? }
            // n = 7, score = 800
            //   eb25                 | jmp                 0x27
            //   833d????????01       |                     
            //   751a                 | jne                 0x1c
            //   68????????           |                     
            //   e8????????           |                     
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_3 = { 83f800 7627 807c38ff20 7415 807c38ff0d 740e 807c38ff0a }
            // n = 7, score = 800
            //   83f800               | cmp                 eax, 0
            //   7627                 | jbe                 0x29
            //   807c38ff20           | cmp                 byte ptr [eax + edi - 1], 0x20
            //   7415                 | je                  0x17
            //   807c38ff0d           | cmp                 byte ptr [eax + edi - 1], 0xd
            //   740e                 | je                  0x10
            //   807c38ff0a           | cmp                 byte ptr [eax + edi - 1], 0xa

        $sequence_4 = { ffb554ffffff ff7508 e8???????? eb0c 6a00 6a00 ff7508 }
            // n = 7, score = 800
            //   ffb554ffffff         | push                dword ptr [ebp - 0xac]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   eb0c                 | jmp                 0xe
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_5 = { ff7514 e8???????? 8985b8feffff 683e010000 }
            // n = 4, score = 800
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   e8????????           |                     
            //   8985b8feffff         | mov                 dword ptr [ebp - 0x148], eax
            //   683e010000           | push                0x13e

        $sequence_6 = { ff75f0 ff7508 e8???????? eb0e ff75e8 }
            // n = 5, score = 800
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   eb0e                 | jmp                 0x10
            //   ff75e8               | push                dword ptr [ebp - 0x18]

        $sequence_7 = { e8???????? ff7510 ff7508 e8???????? ff7518 ff7514 ff7508 }
            // n = 7, score = 800
            //   e8????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_8 = { 85c0 0f8564ffffff ffb5bcfeffff e8???????? }
            // n = 4, score = 800
            //   85c0                 | test                eax, eax
            //   0f8564ffffff         | jne                 0xffffff6a
            //   ffb5bcfeffff         | push                dword ptr [ebp - 0x144]
            //   e8????????           |                     

        $sequence_9 = { 8d45f4 50 ff75fc e8???????? 85c0 7832 }
            // n = 6, score = 800
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7832                 | js                  0x34

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules