× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 3ceb1be127ade48abba35fd05e9d91323d64ada00235c15338652d8c14665811
File name: C$~sand-box~pony.exe
Detection ratio: 53 / 67
Analysis date: 2018-11-04 10:02:50 UTC ( 3 months, 2 weeks ago )
Antivirus Result Update
Ad-Aware Generic.DataStealer.1.320EE23D 20181104
AhnLab-V3 Trojan/Win32.Tepfer.R134252 20181103
ALYac Generic.DataStealer.1.320EE23D 20181104
Antiy-AVL Trojan[PSW]/Win32.Tepfer 20181104
Arcabit Generic.DataStealer.1.320EE23D 20181104
Avast Win32:Malware-gen 20181104
AVG Win32:Malware-gen 20181104
Avira (no cloud) TR/Kryptik.avp.8 20181103
Baidu Win32.Trojan-PSW.Fareit.a 20181102
BitDefender Generic.DataStealer.1.320EE23D 20181104
CAT-QuickHeal TrojanPWS.Fareit 20181103
ClamAV Win.Trojan.Fareit-403 20181104
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20181022
Cybereason malicious.ace85f 20180225
Cyren W32/Trojan.RHWW-4770 20181104
DrWeb Trojan.PWS.Stealer.13052 20181104
Emsisoft Generic.DataStealer.1.320EE23D (B) 20181104
Endgame malicious (moderate confidence) 20180730
ESET-NOD32 a variant of Win32/PSW.Fareit.A 20181104
F-Prot W32/S-89dff245!Eldorado 20181104
F-Secure Generic.DataStealer.1.320EE23D 20181104
Fortinet W32/Fareit.G!tr 20181104
GData Win32.Trojan-Stealer.Zbot.AB 20181104
Ikarus Trojan.Win32.Pony 20181104
Sophos ML heuristic 20180717
Jiangmin Trojan/PSW.Tepfer.ceut 20181104
K7AntiVirus Password-Stealer ( 003bbfec1 ) 20181104
K7GW Password-Stealer ( 003bbfec1 ) 20181104
Kaspersky Trojan-PSW.Win32.Tepfer.gen 20181104
Malwarebytes Spyware.Pony 20181104
MAX malware (ai score=100) 20181104
McAfee Artemis!AEE7E00ACE85 20181104
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.nc 20181104
Microsoft PWS:Win32/Fareit 20181104
eScan Generic.DataStealer.1.320EE23D 20181104
NANO-Antivirus Trojan.Win32.Tepfer.famfvn 20181104
Palo Alto Networks (Known Signatures) generic.ml 20181104
Panda Trj/GdSda.A 20181104
Qihoo-360 Win32/Trojan.e51 20181104
Rising Stealer.Fareit!8.170 (TFE:5:u9umll4YNjC) 20181104
SentinelOne (Static ML) static engine - malicious 20181011
Sophos AV Troj/DwnLdr-MJA 20181104
Symantec Trojan.Fareit!gm 20181103
Tencent Win32.Trojan-qqpass.Qqrob.Lscd 20181104
TheHacker Posible_Worm32 20181104
TrendMicro TSPY_FAREIT.SMY 20181104
TrendMicro-HouseCall TSPY_FAREIT.SMY 20181104
VBA32 BScope.Malware-Cryptor.Ponik 20181102
VIPRE Trojan.Win32.Fareit.j (fs) 20181102
Webroot W32.Fareit 20181104
Yandex Trojan.PSteal.Gen.TO 20181102
Zillya Trojan.Fareit.Win32.26135 20181102
ZoneAlarm by Check Point Trojan-PSW.Win32.Tepfer.gen 20181104
AegisLab 20181104
Alibaba 20180921
Avast-Mobile 20181104
Babable 20180918
Bkav 20181102
CMC 20181104
Cylance 20181104
eGambit 20181104
Kingsoft 20181104
SUPERAntiSpyware 20181031
Symantec Mobile Insight 20181030
TACHYON 20181104
TotalDefense 20181104
Trustlook 20181104
ViRobot 20181103
Zoner 20181104
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX_LZMA
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2018-04-20 16:43:08
Entry Point 0x0001D880
Number of sections 3
PE sections
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
RegCloseKey
CoCreateGuid
StrStrA
ObtainUserAgentString
wsprintfA
LoadUserProfileA
InternetCrackUrlA
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

SubsystemVersion
4.0

MachineType
Intel 386 or later, and compatibles

TimeStamp
2018:04:20 17:43:08+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
36864

LinkerVersion
2.5

FileTypeExtension
exe

InitializedDataSize
4096

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

EntryPoint
0x1d880

OSVersion
4.0

ImageVersion
0.0

UninitializedDataSize
86016

File identification
MD5 aee7e00ace85ff9e2176868f71de4340
SHA1 09e83adc1c9d35eabfd9b11123973be0ee887370
SHA256 3ceb1be127ade48abba35fd05e9d91323d64ada00235c15338652d8c14665811
ssdeep
768:Krykw9IfADBvXGr9ID4rTsnHptT8q+5nbcuyD7UA:KyNtvKr8THunouy8A

authentihash 2617af342d2011fc26f4be34d17da2c38ad90806c614b14cd7d89c4584e15881
imphash 517ae6ac62193111d0ea9ff166b368f9
File size 35.0 KB ( 35840 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (38.2%)
Win32 EXE Yoda's Crypter (37.5%)
Win32 Dynamic Link Library (generic) (9.2%)
Win32 Executable (generic) (6.3%)
OS/2 Executable (generic) (2.8%)
Tags
peexe upx

VirusTotal metadata
First submission 2018-04-20 17:10:54 UTC ( 10 months ago )
Last submission 2018-11-04 10:02:50 UTC ( 3 months, 2 weeks ago )
File names output.113053444.txt
pony.exe
3ceb1be127ade48a_pony.exe
PONY.EXE
pony.exe
output.112671255.txt
aee7e00ace85ff9e2176868f71de4340
C$~sand-box~pony.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Shell commands
Opened service managers
Opened services
Runtime DLLs
HTTP requests
DNS requests
TCP connections