Pony (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.pony (Back to overview)

Pony

aka: Siplog, Fareit

Actor(s): Cobalt

VTCollection URLhaus

According to KnowBe4, Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.

References

2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017
Foxit PDF “Flawed Design” Exploitation
Rafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm

2021-09-01 ⋅ YouTube (Black Hat) ⋅ Christian Doerr, Tsuyoshi Taniguchi
How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?
Cerber Pony

2021-05-06 ⋅ Black Hat ⋅ Christian Doerr, Tsuyoshi Taniguchi
How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover
Cerber Pony

2021-05-04 ⋅ YouTube (0xca7) ⋅ 0xca7
Malware - Anti-Analysis
Pony

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD EVERGREEN
CryptoLocker Pony Zeus GOLD EVERGREEN

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON

2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD EVERGREEN
CryptoLocker Pony Zeus

2019-08-10 ⋅ Check Point ⋅ Omer Gull
SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony

2019-07-30 ⋅ int 0xcc blog ⋅ Raashid Bhat
Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection
Pony

2018-04-18 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON

2017-06-01 ⋅ McAfee ⋅ McAfee
McAfee Labs Threats Report
Pony

2016-08-01 ⋅ Uperesia ⋅ Felix Weyne
Analysis of a packed Pony downloader
Pony

2015-09-09 ⋅ KnowBe4 ⋅ KnowBe4
Pony Stealer Malware
Pony

2015-02-25 ⋅ Github (nyx0) ⋅ nyx0
Pony Sourcecode
Pony

Yara Rules

[TLP:WHITE] win_pony_auto (20260504 | Detects win.pony.)

rule win_pony_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pony."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 23d8 ff75f8 e8???????? ff7508 e8???????? 8bc3 5b }
            // n = 7, score = 800
            //   23d8                 | and                 ebx, eax
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx

        $sequence_1 = { 55 8bec 83c4f8 56 833d????????00 747c 833d????????00 }
            // n = 7, score = 800
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c4f8               | add                 esp, -8
            //   56                   | push                esi
            //   833d????????00       |                     
            //   747c                 | je                  0x7e
            //   833d????????00       |                     

        $sequence_2 = { 33fb 23fa 33fb 8d8c0f8e4379a6 034e38 }
            // n = 5, score = 800
            //   33fb                 | xor                 edi, ebx
            //   23fa                 | and                 edi, edx
            //   33fb                 | xor                 edi, ebx
            //   8d8c0f8e4379a6       | lea                 ecx, [edi + ecx - 0x5986bc72]
            //   034e38               | add                 ecx, dword ptr [esi + 0x38]

        $sequence_3 = { e8???????? 5b 89ec 5d c20800 53 8b442408 }
            // n = 7, score = 800
            //   e8????????           |                     
            //   5b                   | pop                 ebx
            //   89ec                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   53                   | push                ebx
            //   8b442408             | mov                 eax, dword ptr [esp + 8]

        $sequence_4 = { e8???????? 50 50 ff7508 e8???????? e8???????? 68???????? }
            // n = 7, score = 800
            //   e8????????           |                     
            //   50                   | push                eax
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_5 = { 8bec 837d0800 741c 837d0c00 7416 ff7510 ff7508 }
            // n = 7, score = 800
            //   8bec                 | mov                 ebp, esp
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   741c                 | je                  0x1e
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   7416                 | je                  0x18
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_6 = { 8d85c0feffff 50 683f000f00 e8???????? 0bc0 7515 83bdc0feffff00 }
            // n = 7, score = 800
            //   8d85c0feffff         | lea                 eax, [ebp - 0x140]
            //   50                   | push                eax
            //   683f000f00           | push                0xf003f
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   7515                 | jne                 0x17
            //   83bdc0feffff00       | cmp                 dword ptr [ebp - 0x140], 0

        $sequence_7 = { 034e0c c1c10e 03ca 8bfa 33f9 23f8 }
            // n = 6, score = 800
            //   034e0c               | add                 ecx, dword ptr [esi + 0xc]
            //   c1c10e               | rol                 ecx, 0xe
            //   03ca                 | add                 ecx, edx
            //   8bfa                 | mov                 edi, edx
            //   33f9                 | xor                 edi, ecx
            //   23f8                 | and                 edi, eax

        $sequence_8 = { 50 e8???????? 68???????? 8d45f8 50 e8???????? 53 }
            // n = 7, score = 800
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_9 = { 8945e8 ff75fc ff75f8 68???????? e8???????? 8945e4 837dec00 }
            // n = 7, score = 800
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   68????????           |                     
            //   e8????????           |                     
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   837dec00             | cmp                 dword ptr [ebp - 0x14], 0

    condition:
        7 of them and filesize < 262144
}

Download all Yara Rules

Pony Propose Change

References

Yara Rules

Pony