SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pony (Back to overview)

Pony

aka: Siplog, Fareit

Actor(s): Cobalt

URLhaus        

There is no description at this point.

References
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cbab642, author = {SecureWorks}, title = {{GOLD EVERGREEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2020-05-23} } GOLD EVERGREEN
CryptoLocker Pony Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2019-08-10Check PointOmer Gull
@online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-30int 0xcc blogRaashid Bhat
@online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection
Pony
2017-06McAfeeMcAfee
@techreport{mcafee:201706:mcafee:9fb6783, author = {McAfee}, title = {{McAfee Labs Threats Report}}, date = {2017-06}, institution = {McAfee}, url = {https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf}, language = {English}, urldate = {2020-01-06} } McAfee Labs Threats Report
Pony
2016-08UperesiaFelix Weyne
@online{weyne:201608:analysis:10758de, author = {Felix Weyne}, title = {{Analysis of a packed Pony downloader}}, date = {2016-08}, organization = {Uperesia}, url = {https://www.uperesia.com/analysis-of-a-packed-pony-downloader}, language = {English}, urldate = {2020-01-06} } Analysis of a packed Pony downloader
Pony
2015-02-25Github (nyx0)nyx0
@online{nyx0:20150225:pony:17f5bd3, author = {nyx0}, title = {{Pony Sourcecode}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/Pony}, language = {English}, urldate = {2020-01-09} } Pony Sourcecode
Pony
Yara Rules
[TLP:WHITE] win_pony_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_pony_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff7508 e8???????? 8945f0 8d45f8 50 ff7508 }
            // n = 7, score = 800
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_1 = { e8???????? c745f001000000 8d45f0 50 ff7508 e8???????? 837df000 }
            // n = 7, score = 800
            //   e8????????           |                     
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   837df000             | cmp                 dword ptr [ebp - 0x10], 0

        $sequence_2 = { 50 ff7508 e8???????? ff75fc e8???????? c9 c21000 }
            // n = 7, score = 800
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   c9                   | leave               
            //   c21000               | ret                 0x10

        $sequence_3 = { 83e701 89f1 09f9 89d6 31ce }
            // n = 5, score = 800
            //   83e701               | and                 edi, 1
            //   89f1                 | mov                 ecx, esi
            //   09f9                 | or                  ecx, edi
            //   89d6                 | mov                 esi, edx
            //   31ce                 | xor                 esi, ecx

        $sequence_4 = { 6a00 ff75fc ff750c 6a00 6a00 e8???????? }
            // n = 6, score = 800
            //   6a00                 | push                0
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_5 = { c745d820000000 c745dc01000000 ff7304 8f45e0 ff7308 8f45e4 }
            // n = 6, score = 800
            //   c745d820000000       | mov                 dword ptr [ebp - 0x28], 0x20
            //   c745dc01000000       | mov                 dword ptr [ebp - 0x24], 1
            //   ff7304               | push                dword ptr [ebx + 4]
            //   8f45e0               | pop                 dword ptr [ebp - 0x20]
            //   ff7308               | push                dword ptr [ebx + 8]
            //   8f45e4               | pop                 dword ptr [ebp - 0x1c]

        $sequence_6 = { e302 f3a4 ff75cc 8f45e4 ff75d0 e8???????? }
            // n = 6, score = 800
            //   e302                 | jecxz               4
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   ff75cc               | push                dword ptr [ebp - 0x34]
            //   8f45e4               | pop                 dword ptr [ebp - 0x1c]
            //   ff75d0               | push                dword ptr [ebp - 0x30]
            //   e8????????           |                     

        $sequence_7 = { 75ed 0fb646ff 83f808 7702 2bf0 2b7510 }
            // n = 6, score = 800
            //   75ed                 | jne                 0xffffffef
            //   0fb646ff             | movzx               eax, byte ptr [esi - 1]
            //   83f808               | cmp                 eax, 8
            //   7702                 | ja                  4
            //   2bf0                 | sub                 esi, eax
            //   2b7510               | sub                 esi, dword ptr [ebp + 0x10]

        $sequence_8 = { c9 c21000 55 8bec ff750c e8???????? }
            // n = 6, score = 800
            //   c9                   | leave               
            //   c21000               | ret                 0x10
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     

        $sequence_9 = { 0345f8 05d6c162ca ff75fc 8f45f8 897dfc c1c61e 8bfe }
            // n = 7, score = 800
            //   0345f8               | add                 eax, dword ptr [ebp - 8]
            //   05d6c162ca           | add                 eax, 0xca62c1d6
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8f45f8               | pop                 dword ptr [ebp - 8]
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   c1c61e               | rol                 esi, 0x1e
            //   8bfe                 | mov                 edi, esi

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules