{
	"id": "79c63320-52df-46c5-986d-1fe90c852339",
	"created_at": "2026-04-06T00:17:02.752694Z",
	"updated_at": "2026-04-10T03:20:31.017838Z",
	"deleted_at": null,
	"sha1_hash": "aa0d671ef47df40ffc79418979c1fd77014e45a0",
	"title": "No money, but Pony! From a mail to a trojan horse | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 313946,
	"plain_text": "No money, but Pony! From a mail to a trojan horse | Malwarebytes\r\nLabs\r\nBy hasherezade\r\nPublished: 2015-11-18 · Archived: 2026-04-05 18:22:14 UTC\r\nIn this post, we will take a high and low-level look at the Pony Trojan, delivered through a recent spam campaign.\r\nDuring our case study we showed some malicious samples being distributed in spam campaigns. Using this\r\ndistribution method, malware is often found attached to the e-mail as either:\r\nan executable (also compressed, i.e. zip, rar or cab archive), sometimes pretending to be a different file\r\nformat, like Dyreza\r\na document (commonly PDF or some MS Office format ) – like this Dridex downloader\r\nThis time we will present a sample with a bit different delivery method. Instead of attaching the malicious file,\r\nattackers decide to just send a link and convince users to download the malware:\r\nThe scam is to make users curious about an unexpected money transfer, leading them to click on one of the links\r\nand download the associated file.  It doesn’t really matter which link they click on, since they both deliver the\r\nsame sample.\r\nDuring download the browser may show a typical executable icon. The unusual extension is just another trick to\r\nconfuse users, who might be more wary of exe but not as much when encountering scr. The scr extension is used\r\nfor screensavers – but despite the different name, they are normal executables, and they can be run by Windows in\r\nthe same way.\r\nThe downloaded file tries to look trustworthy by using a well-known Adobe Reader icon and the filename\r\n“security” or “infos”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 1 of 9\n\nOnce executed, it deploys the Pony Trojan on the system. For more information about detection of this malware,\r\nclick the link below:\r\nmd5=8a55ecad10a7cf3dad3630ac40e420a1\r\nFor those of you, who are satisfied just by knowing that the file is malicious, you can stop reading after seeing the\r\nVirusTotal report. But if you are interested in features of this  malware family and in tricks that it uses to hide its\r\nreal mission, keep reading!\r\nElements involved\r\n8a55ecad10a7cf3dad3630ac40e420a1 – original, packed sample (security.scr)\r\nb60d3a994a9074cc59d1e065d2583411 – Pony Loader\r\n9a822a6232b932187cd1857a740dfb85 – payload downloaded by Pony Loader\r\n(url format: http://(…)/wp.php)\r\nThe original sample – security.scr is just an outer packing, used for the purpose of obfuscation. It loads into\r\nmemory another fully independent executable: Pony Loader.\r\nPony Loader\r\nSome years ago, the sourcecode of Pony Loader (bot) 1.9 along with Pony Builder (bot configurator) leaked\r\nonline. Later the same happened with version 2.0. Both sets became available to download on various forums.\r\nDuring this analysis, I will compare the current sample with the leaked material in order to identify changes made\r\nby the attackers.\r\nObfuscation Tricks\r\nLet’s take a look at the Entry Point:\r\nAs we can see, the flow is obfuscated. Transitions between basic blocks are made using the well known trick:\r\nPUSH-to-RET, which emulates a CALL to an address that is pushed on to stack. But in Pony this technique is\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 2 of 9\n\nused in more sophisticated way because there are some junk instructions added between the PUSH and the RET in\r\naddition to a never executed bogus conditional jump.\r\nDue to these tricks, sometimes common tools fail to correctly interpret the code. Example below:\r\nOllyDbg interpreted the pushed address as a string\r\nAnother trick used by this malware is delaying execution. For example, the malware executes GetTickCount in a\r\nloop till it gets a value satisfying specific condition. The algorithm behind this trick is simple. The value returned\r\nby GetTickCount is divided by a predefined number. When the remainder equals another predefined value, the\r\nloop terminates. As a result GetTickCount runs pseudo-random number of times before the execution can\r\ncontinue.\r\nThis particular functionality matches the pattern found in Pony 1.9:\r\n[code firstline=”1004″ highlight=”1017″ title=”Pony.asm”] MainEntryPoint: AntiDisasmTrick\r\n.WHILE TRUE invoke GetTickCount mov ecx, 10 xor edx, edx div ecx .IF edx == 5 .BREAK .ENDIF .ENDW\r\ninvoke DoWork\r\ninvoke ExitProcess, 0 [/code]\r\nStrings\r\nThe authors of the malware didn’t took care about obfuscating strings or API calls. At this stage, we can see all of\r\nthem clearly. Some of the strings are the same (or suggesting equivalent functionality) to those from the sample\r\nanalyzed by MalwareMustDie in 2013. However, the current sample seems not as offensive, for example it\r\ndoesn’t include as many strings that reference password stealing as the previous one did.\r\nYou can see complete (and commented) list of strings here:\r\nhttps://gist.github.com/hasherezade/1f3199b7b752db5d46c6\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 3 of 9\n\nTarget Identification\r\nSpecific modules in the sourcecode are included or excluded according to defined flags. The currently analysed\r\nsample have the following module included – being used to target ‘NetSarang XFTP’:\r\n[code firstline=”8985″ highlight=”8991,9011″ title=”PasswordModules.asm”] ; XFTP ;\r\nhttp://www.netsarang.com/forum/xftp/list ; Tested: Xftp 4 (Build 0077) ; Tested: Xftp 4 (Build 0083) ; SFTP:\r\nimplemented\r\nIFDEF COMPILE_MODULE_XFTP\r\n.data CXftpAppDataDir db ‘NetSarang’,0 CXftpConfigFile db ‘.xfp’,0 .code\r\nGrabXFTP proc stream LOCAL hdr_ofs: DWORD invoke StreamWriteModuleHeader, stream, MODULE_XFTP,\r\n0 mov hdr_ofs, eax invoke AppDataCommonFileScan, stream, offset CXftpAppDataDir, offset CXftpConfigFile,\r\nITEMHDR_ID or 0 invoke StreamUpdateModuleLen, stream, hdr_ofs ret GrabXFTP endp\r\nENDIF [/code]\r\nNetwork Communications\r\nIt didn’t take long to locate URLs queried by our Pony sample:\r\nThe First URL, windows update, is used just after collecting information about the system. The malware sends a\r\nPOST request to the address as seen below.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 4 of 9\n\nThe actual data being sent is an unencrypted report created by Pony, listing information about the infected system.\r\n This traffic contains the keyword “PWDFILE0” and “MODU” as well as any stolen credentials the malware\r\nmight have extracted.\r\nIf you are wondering why this type of report was sent to Windows Update server, I wondered the same thing? To\r\nfind out, I referred to the original code in order to check the intention behind it. As the code states, this function is\r\nsupposed to send the stolen credentials to the C\u0026C!\r\n[code title=”Pony.asm, function: DoWork” firstline=”961″] ; Scan and send passwords invoke ScanAndSend\r\n[/code]\r\nIt seems that distributors of this piece of malware were not at all interested in collecting credentials, which is why\r\nthey set the beacon URL to the Windows Update address rather than a C\u0026C which could collect and store the\r\nstolen information.  This probably happened because of lazy coders – instead of removing this fragment of code\r\nthey redirected sending to a bogus URL.\r\nWe reconstructed how the configuration might have looked using the Pony Builder:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 5 of 9\n\nPony also has the functionality of downloader.\r\n[code title=”Pony.asm, function: DoWork” firstline=”964″] ; Run loader IFDEF ENABLE_LOADER invoke\r\nRunLoader ENDIF [/code] The other URLs (ending wp.php) are alternative locations of the second payload. They\r\nhave extension php, but they serve a malicious executable that is downloaded by Pony, saved as exe and run. The\r\nmalware reached out to each of the URLs, in a loop, in order to find an active one. The malware uses a hard-coded\r\nGET request to reach out:\r\nThose addresses were set at the “Loader” page in the Pony Builder:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 6 of 9\n\nPassword Cracking\r\nThe Pony agent comes with a small dictionary of commonly used passwords.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 7 of 9\n\nThe list matches a list found in the leaked sourcecode of Pony 1.9:\r\n; Password list used in windows user logon bruteforcer\r\nThis dictionary is used in attack against local accounts retrieved by function NetUserEnum.\r\nExample: the malware tries to login as “Administrator” checking all the passwords from the dictionary.\r\nAuto deleting\r\nFinally, Pony creates a batch script in %TEMP% with weirdly formatted content:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 8 of 9\n\nThis script is meant to delete the Pony Loader after execution (works in a loop, in order to wait for the sample to\r\nterminate). The same can be found in Pony 1.9 code:\r\n.data szBatchFmt db '%d.bat',0 szSelfDelQuoteFmt db\r\nConclusion\r\nThis sample seems to be compiled from the source of Pony 1.9  – the old one, without recent additions and\r\nimprovements. Moreover, some features of the original source are removed (i.e. related to credentials stealing). It\r\nseems that in this case, Pony Loader is used mainly as a downloader.\r\nAs the current example shows, sometimes “new” malware samples are not so new – only they are packed by new\r\npackers/crypters.\r\nAttackers often use leaked sourcecode as a base – but they neglect the fact, that the same material is also available\r\nto malware analysts – allowing them to easily reveal everything what they wanted to hide.\r\nAppendix\r\nhttp://blog.malwaremustdie.org/2013/06/case-of-pony-downloaded-zeus-via.html – description of Pony Loader by\r\n@malwaremustdie\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/"
	],
	"report_names": [
		"no-money-but-pony-from-a-mail-to-a-trojan-horse"
	],
	"threat_actors": [],
	"ts_created_at": 1775434622,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa0d671ef47df40ffc79418979c1fd77014e45a0.pdf",
		"text": "https://archive.orkl.eu/aa0d671ef47df40ffc79418979c1fd77014e45a0.txt",
		"img": "https://archive.orkl.eu/aa0d671ef47df40ffc79418979c1fd77014e45a0.jpg"
	}
}