Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
35
Global rank
104 infographic chevron month
Month rank
95 infographic chevron week
Week rank
0
IOCs

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Stealer
Type
Unknown
Origin
1 January, 2011
First seen
26 September, 2025
Last seen
Also known as
Fareit
Siplog

How to analyze Pony with ANY.RUN

Type
Unknown
Origin
1 January, 2011
First seen
26 September, 2025
Last seen

IOCs

IP addresses
103.195.236.181
207.241.224.2
203.170.81.33
212.58.20.11
89.12.148.197
74.91.117.64
151.106.124.106
45.196.119.115
172.67.133.102
104.21.13.228
81.169.145.86
67.215.225.205
85.192.165.229
116.122.158.195
87.247.241.226
176.32.230.23
74.208.236.90
107.180.4.94
66.111.4.54
66.111.4.53
Hashes
d08d2bfcde68285650878e1032a5d85f6b764f7fbd198abc376c8356503a7a2a
09a39084be748ad8a698d345cdc1f258d6fb3f79694fc9cdb5e7ca27af4d6598
77b73deb8c681b63c86adbe5c2583e7758e659bb38d5dbf2d4854ea4ab7fc0b5
86474356cf763c9150b007e79a0cad979ea6a82865b1b4cf7bd6ce2a7c66b4bb
0b6e22b802cdebd97e1b0096990b9a388d080421ca8570b2897ed4fcf22f4521
31ca432734bc4854e948fc0bdb2d14da67c6e5759cd54980e1ad0858b8102ec7
55754d7bc221d58cebc24daeb3476fa2dbfdaf6ab75e9d3a30456dd5cbf589e5
396bbb76b0072bca8e8dc20bee1c1a0a76f966644b070706b33b1332e464f2dc
1672dca4eff5c1973bb3b5a04f67b76c12e39450aee8d0d0bc08a8d0bbd01c03
27df3ea785d8cb2753674efde2a0374425aba3669f4c889f1c33792716b4465e
75b25ccb311ad31adc666685cbd3a379c1c5c4ad7191eb255739d12f8a927185
c4627f9f5094f116d3ceefccd8fa2322dc2577f424a6a6be883572d87fddd317
76c5c6c0bb102e5e9da01143a70130dca889101c3402f602d9ba79e5e9dbb89b
5e11bc02c9992f9adb4e7caff5a318bce6f9f24b7448c7c1de7e64e839aef949
b091f1b0dcbd363912f60af8d292dd4a642fb2313f36f57fec93da70ebafe3cd
74e80c3899c567dfb8ce0949762d9b77a6ceca39ce71f80a4996a854412cf358
24d2d17b66ab016a347df3d449e07ab9e9f4d328e670795ef1d176ea8430f71c
34244eca9a3d11de326bfa4fbe23cbe879d8f76749bdcfccbe8f217756c65302
40f89b0481e0ce1ce40b06767705647faf79446cc4deed7aa7b57659811c70b0
4dc6f44cf83ab06c5ec572d7cd61ba80a96025c36d79fede29d385612aeb28de
Domains
eurotsl.com
microsoftntdll.com
rasakltd.biz
frostite.biz
jajar.ru
arya-foundation.de
advwebs.com
belllflight.com
chinalarnpbase.com
tourscentralasian.com
vman22.com
gracetime.tech
vman23.com
pakarabi.net
blasternoon.ru
mqbearing.club
elihanss.ru
uy-akwaibom.ru
ezpz1.xyz
carikapapa.ml
URLs
http://91.121.84.204:8080/pony/gate.php
http://98.158.129.17:8080/pony/gate.php
http://63.251.20.180/pony/gate.php
http://londonpaerl.co.uk/yesup/gate.php
http://t00lz.sourceforge.net/pony/gate.php
http://reservehost.com/path/gate.php
http://mainserver.com/gate.php
http://www.oldhorse.info/
http://oldhorse.info/a.php
http://jimmyxyz.com/002/gate.php
http://3.124.104.244:58755/gate.php
http://www.arki.com:8080/ponyb/gate.php
http://arki.com:8080/ponyb/gate.php
http://tavana-es.com:443/myman/shit.exe
http://tavana-es.com/myman/shit.exe
http://tavana-es.com/myman/gate.php
http://seolinkmarket.com/idx.php
http://cmp.com.sg/signal/Deffult/gate.php
http://cmp.com.sg/signal/Deffult/book.exe
http://www.cmp.com.sg/signal/Deffult/book.exe
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is Pony malware?

Pony, also known as Fareit or Siplog, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

The earliest discovered version of Pony stealer is 1.7, and the latest updated known version is 2.2. Though being regularly updated, the malware did not gain groundbreakingly new features since the time of its first discovery by Microsoft. In addition to the core functionality, Pony can also steal cryptocurrency wallet credentials, FTP clients, and autofill values from the browsers.

In contrast to the majority of botnets, Pony stealer does not require a centralized C&C server or a group of C&C servers to carry out its attacks. Instead, each attacker can set up their own custom control server or purchase a server that was previously set up by another criminal, instantly gaining access to infrastructure that provides reports about the stolen data. In addition, the malware itself can be divided into two modules, the builder, which is used to construct clients that are then have to be downloaded on the victim’s machine to collect data, and the bot itself – the final payload.

General description of Pony malware

The robust functionality of Pony trojan helped this malware to keep its position as the most popular password stealer through 5 years. Apart from being able to steal credentials the same as RedLine, malware can disable certain antivirus and windows security features and run in the background completely hidden from the user, who may not have a clue that his or her PC is, in fact, infected. When activated, Pony stealer can use the infected PC to take part in botnet attacks, for example, using a hijacked machine to send spam emails. Pony can also download other malware to the victim’s machine and send harvested personal data to a destination specified by the attacker.

What’s more, Pony has been mentioned by multiple “hacker celebrities” as the backbone of many attack campaigns. For instance, the author of the infamous Andromeda botnet has referred to Pony as the “titanic work of the author of miracle (Fareit Bot),” further stating that the loader was incorporated in the Andromeda botnet attacks as a plug-in.

Part of the malware’s popularity is because the source code of multiple Pony loader versions has been leaked and is available for download on the darknet. Particularly, the source code of Pony builder and loader versions 1.9 and 2.0 are available for download on several underground forums.

The Pony stealer builder is a program that attackers can use to construct custom Pony bots with pre-programmed C&C addresses, where stolen data can be sent. The Pony Bot is the actual program that is used for information stealing. According to the analysis, the Bot is written primarily in assembly language. A peculiar feature of this malware that separates it from the rest of the pack is its unique decoding technique. The Bot itself does not come equipped with a decoding algorithm, instead of using just simple functions that are programmed to send encrypted information to the control server, where stolen passwords and other data are decrypted.

Even though the core feature-set of Pony trojan has not changed drastically over the course of its lifespan, newer versions of the malware gained several anti-detection features designed to prevent research and disassembly of the malware. As such, in addition to standard anti-evasion and debugging techniques, each attacker has the ability to implement various packers, including custom ones, to avoid detection by antivirus software.

With the use of Packers, the malware gains a Russian “matryoshka” nesting-doll like-design. While the payload is inactive when the package containing Pony stealer is analyzed, the final payload cannot be detected by antivirus signatures since it is hidden in the innermost and smallest package. However, once activated, the Pony loader has to unpack itself, thus revealing its presence.

Pony malware analysis

A video of a simulation recorded in ANY.RUN malware hunting service helps us to perform the analysis of the behavior of Pony in-depth.

process graph of the pony execution Figure 1: A process graph generated by ANY.RUN enables to examine the lifecycle of Pony in a visual form

text report of a Pony analysis Figure 2: Customizable text reports provided by ANY.RUN gives more opportunities for research or sharing of study results

Pony malware execution process

In the case of our simulation, after the user ran the malicious file, the malware launched itself. Next, the malicious executable file connected to the C2 server and started stealing information from the infected system. It should be noted that in some cases, Pony is known to download other malware to the victim’s machine.

Distribution of Pony malware

Based on the analysis, Pony is distributed in multiple ways, including email spam campaigns, exploit kits and DNS poisoning. Also, Pony can be hidden within free downloadable online programs and can mimic legitimate software. For example, malicious emails usually include either a Microsoft Word archive or a JavaScript file. As soon as the document is downloaded and opened, Pony injects the victim’s PC and starts execution.

Another attack vector of Pony is through a compromised DNS server which is infected by another malware. In this case, the victim is redirected to a malicious website from where Pony downloads itself onto the users’ PC.

How to detect Pony stealer using ANY.RUN?

Analysts can perform an analysis of what changes the malware made in the registry. Just click on the process and then on the button "More Info" in the appeared window. Then, in the "Advanced details of process" window, switch to the "Registry changes" tab. Note that you can switch between the friendly and raw display of changes. You can also try this method while analyzing GootKit or Danabot.

pony fareit registry changes Figure 3: Registry changes made by Pony

Conclusion

Availability and robust feature set helped make Pony stealer one of the most widely used information stealers. In fact, this malware is regularly being used in attacks targeting Europe and North America. The danger of Pony attacks is further enhanced by its nesting-doll-like design, where the final payload hides within a layered package, allowing to avoid easy detection. Interactive malware hunting service ANY.RUN gives researchers the ability to take a look at how this dangerous malware functions and examine its behavior in action in a safe environment.

HAVE A LOOK AT

ACR Stealer screenshot
ACR Stealer is a modern information-stealing malware designed to harvest sensitive data from infected devices. Like other infostealers, it targets credentials, financial details, browser data, and files, enabling cybercriminals to monetize stolen information through direct fraud or underground market sales.
Read More
Prometei screenshot
Prometei
prometei
Prometei is a modular botnet malware family that silently infiltrates systems, hijacking their resources for illicit Monero (XMR) mining. Active since at least 2016, it combines stealth, persistence, and lateral movement capabilities. Notable for its global reach and opportunistic infection strategy, it is also used for credential theft.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
VanHelsing Ransomware screenshot
VanHelsing is a sophisticated ransomware strain that appeared in early 2025, operating via the Ransomware-as-a-Service (RaaS) model and targeting primarily USA and France. It threatens mostly Windows systems but has variants for Linux, BSD, ARM, and ESXi, making it a multi-platform malware. It is also notable for its advanced evasion techniques, double extortion tactics, and rapid evolution.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More