Pony

18
Global rank
28
Month rank
25
Week rank
93284
IOCs

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Stealer
Type
Unknown
Origin
1 January, 2011
First seen
1 June, 2023
Last seen
Also known as
Fareit
Siplog

How to analyze Pony with ANY.RUN

Stealer
Type
Unknown
Origin
1 January, 2011
First seen
1 June, 2023
Last seen

IOCs

IP addresses
188.114.97.3
51.68.204.141
104.18.10.128
35.205.61.67
23.227.38.32
23.202.231.167
15.197.142.173
207.241.224.2
75.2.18.233
3.64.163.50
3.130.253.23
76.223.105.230
23.227.38.65
5.9.14.30
198.38.82.77
185.230.63.186
185.230.63.107
210.245.90.251
104.26.15.45
185.230.63.171
Hashes
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
c9bd169c2992312a38b9a766232ac8bee5059998d087e5455c1dda6b2a809c3d
6ab6a7d0c2559dc976b5449703adc63647838808564a5b0eddc64d2673d24465
7280515cad1a462f3c0fb3bf494f566d1a3a9c70bab2bf633c81ee88f3db07c5
309585a2d3ed4ba445f575068c83da5fa4c6f92b3fc8c55cf36698118d3769f8
68644caea1b3247e6f69d0210e9d59a911089808294f215c29cc2ed6e4c6afb7
8f696db90b2556c709e3dfd34fa977ca160939bb2cd2feb0d3718b33baa6cb0a
5c05db8164a6d51dd483cbe8eddb1d0c21aecf432ef75f5dc5a0a2fc0b711657
59d8efee9c41445b6ffe045619c46f8730f9091126a265b5bb1b76e71e808c9a
5a44f54a5d1282ea540814b6ffb6c505cd93b92dbdf3f3eacb9d87f63f2c3197
fa027728fead4395729ca6f30454106eb822a3bebcb26e17c9505fb460f002e2
0f55522728906def39b008151d01e91238ee052d2c2d3da26630dbba9951267f
e2704d1222b741e0a93ac189d783271499cfe2ef56ca131b14dc1e6153b8349c
f24837587a1f0830d1afc92cfd8c4bcd8e6b19af94e77e25e4ac59a643b30526
17b51145bd0c79de0555cb2c90e332f1f3860a3160d59458260fff88562f8201
2d22d5cde8099f54d3bc1835b5573e1aa995f6e219b0aa219c2071c6727a2b97
9a1866277075324e5408e0eb2919f0a8929879169e42ce2deb1dbc272b0b009f
f2945753c6cedf8e7b8e8f4e04859591c3edf18c7652a00f9765ac99694cc874
79a831d07f9c62238d8177e6bbed796f3501545b43bfd1c8b1e0736940ec6434
163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0
Domains
njxyro.ddns.net
edgeservices.bing.com
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
use.fontawesome.com.cdn.cloudflare.net
adodson.com
frederikkempe.com
majul.com
acdcdn.com
data-px.services
id.a-mx.com
postback.trafficmotor.com
g.ezodn.com
ezodn.com
ww1.gmai.com
threatdetect.org
device-safety.com
pisism.com
xtroglobal.com
topshortnews.co
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5380
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is Pony malware?

Pony, also known as Fareit or Siplog, is an information stealer and loader – a malware used to collect data from infected machines and install other malicious programs. This particular virus was First Spotted in the wild in 2011. It is known to attack users primarily in Europe and North America.

The earliest discovered version of Pony stealer is 1.7, and the latest updated known version is 2.2. Though being regularly updated, the malware did not gain groundbreakingly new features since the time of its first discovery by Microsoft. In addition to the core functionality, Pony can also steal cryptocurrency wallet credentials, FTP clients, and autofill values from the browsers.

In contrast to the majority of botnets, Pony stealer does not require a centralized C&C server or a group of C&C servers to carry out its attacks. Instead, each attacker can set up their own custom control server or purchase a server that was previously set up by another criminal, instantly gaining access to infrastructure that provides reports about the stolen data. In addition, the malware itself can be divided into two modules, the builder, which is used to construct clients that are then have to be downloaded on the victim’s machine to collect data, and the bot itself – the final payload.

General description of Pony malware

The robust functionality of Pony trojan helped this malware to keep its position as the most popular password stealer through 5 years. Apart from being able to steal credentials the same as RedLine, malware can disable certain antivirus and windows security features and run in the background completely hidden from the user, who may not have a clue that his or her PC is, in fact, infected. When activated, Pony stealer can use the infected PC to take part in botnet attacks, for example, using a hijacked machine to send spam emails. Pony can also download other malware to the victim’s machine and send harvested personal data to a destination specified by the attacker.

What’s more, Pony has been mentioned by multiple “hacker celebrities” as the backbone of many attack campaigns. For instance, the author of the infamous Andromeda botnet has referred to Pony as the “titanic work of the author of miracle (Fareit Bot),” further stating that the loader was incorporated in the Andromeda botnet attacks as a plug-in.

Part of the malware’s popularity is because the source code of multiple Pony loader versions has been leaked and is available for download on the darknet. Particularly, the source code of Pony builder and loader versions 1.9 and 2.0 are available for download on several underground forums.

The Pony stealer builder is a program that attackers can use to construct custom Pony bots with pre-programmed C&C addresses, where stolen data can be sent. The Pony Bot is the actual program that is used for information stealing. According to the analysis, the Bot is written primarily in assembly language. A peculiar feature of this malware that separates it from the rest of the pack is its unique decoding technique. The Bot itself does not come equipped with a decoding algorithm, instead of using just simple functions that are programmed to send encrypted information to the control server, where stolen passwords and other data are decrypted.

Even though the core feature-set of Pony trojan has not changed drastically over the course of its lifespan, newer versions of the malware gained several anti-detection features designed to prevent research and disassembly of the malware. As such, in addition to standard anti-evasion and debugging techniques, each attacker has the ability to implement various packers, including custom ones, to avoid detection by antivirus software.

With the use of Packers, the malware gains a Russian “matryoshka” nesting-doll like-design. While the payload is inactive when the package containing Pony stealer is analyzed, the final payload cannot be detected by antivirus signatures since it is hidden in the innermost and smallest package. However, once activated, the Pony loader has to unpack itself, thus revealing its presence.

Pony malware analysis

A video of a simulation recorded in ANY.RUN malware hunting service helps us to perform the analysis of the behavior of Pony in-depth.

process graph of the pony execution Figure 1: A process graph generated by ANY.RUN enables to examine the lifecycle of Pony in a visual form

text report of a Pony analysis Figure 2: Customizable text reports provided by ANY.RUN gives more opportunities for research or sharing of study results

Pony malware execution process

In the case of our simulation, after the user ran the malicious file, the malware launched itself. Next, the malicious executable file connected to the C2 server and started stealing information from the infected system. It should be noted that in some cases, Pony is known to download other malware to the victim’s machine.

Distribution of Pony malware

Based on the analysis, Pony is distributed in multiple ways, including email spam campaigns, exploit kits and DNS poisoning. Also, Pony can be hidden within free downloadable online programs and can mimic legitimate software. For example, malicious emails usually include either a Microsoft Word archive or a JavaScript file. As soon as the document is downloaded and opened, Pony injects the victim’s PC and starts execution.

Another attack vector of Pony is through a compromised DNS server which is infected by another malware. In this case, the victim is redirected to a malicious website from where Pony downloads itself onto the users’ PC.

How to detect Pony stealer using ANY.RUN?

Analysts can perform an analysis of what changes the malware made in the registry. Just click on the process and then on the button "More Info" in the appeared window. Then, in the "Advanced details of process" window, switch to the "Registry changes" tab. Note that you can switch between the friendly and raw display of changes. You can also try this method while analyzing GootKit or Danabot.

pony fareit registry changes Figure 3: Registry changes made by Pony

Conclusion

Availability and robust feature set helped make Pony stealer one of the most widely used information stealers. In fact, this malware is regularly being used in attacks targeting Europe and North America. The danger of Pony attacks is further enhanced by its nesting-doll-like design, where the final payload hides within a layered package, allowing to avoid easy detection. Interactive malware hunting service ANY.RUN gives researchers the ability to take a look at how this dangerous malware functions and examine its behavior in action in a safe environment.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy