SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pony (Back to overview)

Pony

aka: Siplog, Fareit

Actor(s): Cobalt

URLhaus        

According to KnowBe4, Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.

References
2021-09-01YouTube (Black Hat)Tsuyoshi Taniguchi, Christian Doerr
@online{taniguchi:20210901:how:98ed0d5, author = {Tsuyoshi Taniguchi and Christian Doerr}, title = {{How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?}}, date = {2021-09-01}, organization = {YouTube (Black Hat)}, url = {https://www.youtube.com/watch?v=y8Z9KnL8s8s}, language = {English}, urldate = {2021-09-12} } How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?
Cerber Pony
2021-05-06Black HatTsuyoshi Taniguchi, Christian Doerr
@techreport{taniguchi:20210506:how:45b144d, author = {Tsuyoshi Taniguchi and Christian Doerr}, title = {{How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover}}, date = {2021-05-06}, institution = {Black Hat}, url = {https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf}, language = {English}, urldate = {2021-09-12} } How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover
Cerber Pony
2021-05-04YouTube (0xca7)0xca7
@online{0xca7:20210504:malware:7647ea6, author = {0xca7}, title = {{Malware - Anti-Analysis}}, date = {2021-05-04}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=42yldTQ-fWA}, language = {English}, urldate = {2022-05-04} } Malware - Anti-Analysis
Pony
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
@online{ancel:20210128:bagsu:7de60de, author = {Benoît Ancel}, title = {{The Bagsu banker case}}, date = {2021-01-28}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=EyDiIAt__dI}, language = {English}, urldate = {2021-02-01} } The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2021SecureworksSecureWorks
@online{secureworks:2021:threat:9cb31b0, author = {SecureWorks}, title = {{Threat Profile: GOLD GALLEON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2021-06-01} } Threat Profile: GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c81b928, author = {SecureWorks}, title = {{Threat Profile: GOLD EVERGREEN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD EVERGREEN
CryptoLocker Pony Zeus GOLD EVERGREEN
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cbab642, author = {SecureWorks}, title = {{GOLD EVERGREEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2020-05-23} } GOLD EVERGREEN
CryptoLocker Pony Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65f4550, author = {SecureWorks}, title = {{GOLD ESSEX}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-essex}, language = {English}, urldate = {2020-05-27} } GOLD ESSEX
Cutwail Pony Pushdo NARWHAL SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cf5f9e4, author = {SecureWorks}, title = {{GOLD GALLEON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-galleon}, language = {English}, urldate = {2020-05-23} } GOLD GALLEON
Agent Tesla HawkEye Keylogger Pony Predator The Thief
2019-08-10Check PointOmer Gull
@online{gull:20190810:select:56061b1, author = {Omer Gull}, title = {{SELECT code_execution FROM * USING SQLite;}}, date = {2019-08-10}, organization = {Check Point}, url = {https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/}, language = {English}, urldate = {2020-02-09} } SELECT code_execution FROM * USING SQLite;
Azorult Loki Password Stealer (PWS) Pony
2019-07-30int 0xcc blogRaashid Bhat
@online{bhat:20190730:practical:d049779, author = {Raashid Bhat}, title = {{Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection}}, date = {2019-07-30}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection}, language = {English}, urldate = {2020-01-08} } Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection
Pony
2018-04-18SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20180418:gold:c342756, author = {Counter Threat Unit ResearchTeam}, title = {{GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry}}, date = {2018-04-18}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry}, language = {English}, urldate = {2021-06-01} } GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry
Agent Tesla HawkEye Keylogger Pony GOLD GALLEON
2017-06McAfeeMcAfee
@techreport{mcafee:201706:mcafee:9fb6783, author = {McAfee}, title = {{McAfee Labs Threats Report}}, date = {2017-06}, institution = {McAfee}, url = {https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf}, language = {English}, urldate = {2020-01-06} } McAfee Labs Threats Report
Pony
2016-08UperesiaFelix Weyne
@online{weyne:201608:analysis:10758de, author = {Felix Weyne}, title = {{Analysis of a packed Pony downloader}}, date = {2016-08}, organization = {Uperesia}, url = {https://www.uperesia.com/analysis-of-a-packed-pony-downloader}, language = {English}, urldate = {2020-01-06} } Analysis of a packed Pony downloader
Pony
2015-09-09KnowBe4KnowBe4
@online{knowbe4:20150909:pony:9ec426a, author = {KnowBe4}, title = {{Pony Stealer Malware}}, date = {2015-09-09}, organization = {KnowBe4}, url = {https://www.knowbe4.com/pony-stealer}, language = {English}, urldate = {2022-06-08} } Pony Stealer Malware
Pony
2015-02-25Github (nyx0)nyx0
@online{nyx0:20150225:pony:17f5bd3, author = {nyx0}, title = {{Pony Sourcecode}}, date = {2015-02-25}, organization = {Github (nyx0)}, url = {https://github.com/nyx0/Pony}, language = {English}, urldate = {2020-01-09} } Pony Sourcecode
Pony
Yara Rules
[TLP:WHITE] win_pony_auto (20230125 | Detects win.pony.)
rule win_pony_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.pony."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bc0 5e 5f c9 c20c00 8945f8 ff7508 }
            // n = 7, score = 800
            //   2bc0                 | sub                 eax, eax
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_1 = { e8???????? c9 c21400 55 8bec 680000efbe }
            // n = 6, score = 800
            //   e8????????           |                     
            //   c9                   | leave               
            //   c21400               | ret                 0x14
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   680000efbe           | push                0xbeef0000

        $sequence_2 = { 0f84bd000000 3d04010000 0f87b2000000 8d45fc 50 e8???????? 8d85effeffff }
            // n = 7, score = 800
            //   0f84bd000000         | je                  0xc3
            //   3d04010000           | cmp                 eax, 0x104
            //   0f87b2000000         | ja                  0xb8
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85effeffff         | lea                 eax, [ebp - 0x111]

        $sequence_3 = { 8d9c1f2108b449 035e3c c1c316 03d9 8bf9 33fb 23fa }
            // n = 7, score = 800
            //   8d9c1f2108b449       | lea                 ebx, [edi + ebx + 0x49b40821]
            //   035e3c               | add                 ebx, dword ptr [esi + 0x3c]
            //   c1c316               | rol                 ebx, 0x16
            //   03d9                 | add                 ebx, ecx
            //   8bf9                 | mov                 edi, ecx
            //   33fb                 | xor                 edi, ebx
            //   23fa                 | and                 edi, edx

        $sequence_4 = { 6a00 68???????? ffb5f0f7ffff ff35???????? e8???????? 8985ecf7ffff 6a00 }
            // n = 7, score = 800
            //   6a00                 | push                0
            //   68????????           |                     
            //   ffb5f0f7ffff         | push                dword ptr [ebp - 0x810]
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8985ecf7ffff         | mov                 dword ptr [ebp - 0x814], eax
            //   6a00                 | push                0

        $sequence_5 = { c9 c3 c745f000000000 8d45f0 50 ff75f4 6a00 }
            // n = 7, score = 800
            //   c9                   | leave               
            //   c3                   | ret                 
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   6a00                 | push                0

        $sequence_6 = { 8d45f8 50 ff75fc ff750c ff7508 e8???????? }
            // n = 6, score = 800
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_7 = { bfffffffff 33f9 0bf8 33fb 8d9417e0e62cfe 03563c }
            // n = 6, score = 800
            //   bfffffffff           | mov                 edi, 0xffffffff
            //   33f9                 | xor                 edi, ecx
            //   0bf8                 | or                  edi, eax
            //   33fb                 | xor                 edi, ebx
            //   8d9417e0e62cfe       | lea                 edx, [edi + edx - 0x1d31920]
            //   03563c               | add                 edx, dword ptr [esi + 0x3c]

        $sequence_8 = { 83f801 0f869c000000 50 ffb5e8efffff }
            // n = 4, score = 800
            //   83f801               | cmp                 eax, 1
            //   0f869c000000         | jbe                 0xa2
            //   50                   | push                eax
            //   ffb5e8efffff         | push                dword ptr [ebp - 0x1018]

        $sequence_9 = { c20800 833d????????00 741f ff35???????? ff15???????? 83c404 }
            // n = 6, score = 800
            //   c20800               | ret                 8
            //   833d????????00       |                     
            //   741f                 | je                  0x21
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules