analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Пакет док-ов 14.10.7z

Full analysis: https://app.any.run/tasks/a3dc47db-717b-4131-a79c-decd728935b0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 11:33:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
fareit
loader
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

7849A3340E3250877018C3FE3479EBB4

SHA1:

D8A6BBEBCD6B708140C537BF769C68C781A3A8FA

SHA256:

49BEFCC143C95A82752D71C89F57B20296D361EF09DEC5A3BC8C694241878C02

SSDEEP:

1536:zp5yg69rvuJYuivEvc1U8pz0c+12f3R9pz7Msi1OiYkx:zp5yHuvivvKhc+1+ftIjEG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2136)

    • Application was dropped or rewritten from another process

      • Весь пакет документов 14.10.exe (PID: 3280)
      • Весь пакет документов 14.10.exe (PID: 1528)

    • Detected Pony/Fareit Trojan

      • Весь пакет документов 14.10.exe (PID: 1528)

    • Downloads executable files from the Internet

      • Весь пакет документов 14.10.exe (PID: 1528)

    • PONY was detected

      • Весь пакет документов 14.10.exe (PID: 1528)

    • Downloads executable files from IP

      • Весь пакет документов 14.10.exe (PID: 1528)

    • Connects to CnC server

      • Весь пакет документов 14.10.exe (PID: 1528)

    • Actions looks like stealing of personal data

      • Весь пакет документов 14.10.exe (PID: 1528)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3320)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2152)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2136)

    • Application launched itself

      • Весь пакет документов 14.10.exe (PID: 3280)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2136)

    • Searches for installed software

      • Весь пакет документов 14.10.exe (PID: 1528)

    • Connects to server without host name

      • Весь пакет документов 14.10.exe (PID: 1528)

    • Starts CMD.EXE for self-deleting

      • Весь пакет документов 14.10.exe (PID: 1528)

    • Starts CMD.EXE for commands execution

      • Весь пакет документов 14.10.exe (PID: 1528)

  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2136)

    • Application was crashed

      • Весь пакет документов 14.10.exe (PID: 3280)
      • Весь пакет документов 14.10.exe (PID: 1528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs outlook.exe winrar.exe весь пакет документов 14.10.exe #PONY весь пакет документов 14.10.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Пакет док-ов 14.10.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2136"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Rar$DIb2152.47573\Пакет док-ов 14.10.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3320"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SCABNOFO\Весь пакет документов 14 10.001"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3280"C:\Users\admin\AppData\Local\Temp\Rar$EXa3320.49872\Весь пакет документов 14.10.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3320.49872\Весь пакет документов 14.10.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
1528"C:\Users\admin\AppData\Local\Temp\Rar$EXa3320.49872\Весь пакет документов 14.10.exe" dfsrC:\Users\admin\AppData\Local\Temp\Rar$EXa3320.49872\Весь пакет документов 14.10.exe
Весь пакет документов 14.10.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
3908cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\admin\AppData\Local\Temp\Rar$EXa3320.49872\Весь пакет документов 14.10.exe"C:\Windows\system32\cmd.exeВесь пакет документов 14.10.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2416ping 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 859
Read events
2 230
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
27
Unknown types
2

Dropped files

PID
Process
Filename
Type
2136OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR607B.tmp.cvr
MD5:
SHA256:
2136OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SCABNOFO\Весь пакет документов 14 10 (2).001\:Zone.Identifier:$DATA
MD5:
SHA256:
2152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2152.47573\Пакет док-ов 14.10.msgmsg
MD5:8226CA558FA4B7C42173CFCFAC11425F
SHA256:79002D559AB9A8CAEE97209238F06C4B678D4FDC6003FCC50E58CF73B1A7CCAB
2136OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:D0FBF99D83F9D509BFE262AED5CF66DE
SHA256:A5B4DD3AA57BB0A3E46F863E14C3C60DE2FDD2AF34E65B608805FDD50AF739C3
2136OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SCABNOFO\Весь пакет документов 14 10 (2).001compressed
MD5:4E43672C12085D67557E0CF7A36917A3
SHA256:A0217C3E7E73E2D7E7E7B940512BAABD35EEA5062B2090FC246EA3390FEE2BCC
3320WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3320.49872\Весь пакет документов 14.10.exeexecutable
MD5:608750B1779C67BB598737690140B09E
SHA256:F38C795EA17880BE245A351E07EAFCF85D8B47DFCD5C51161E3D8D73F86D29B1
2136OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:90A473AED74DE65E9A9A84093260BCDD
SHA256:CE508044916E1CF4B8475AFCAA2B3AA99DC1B5A49F3CF98B8892A082CC01CD03
2136OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
2136OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{AE801D99-F35A-4678-9A2F-D14957807234}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
2136OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\SCABNOFO\Весь пакет документов 14 10.001compressed
MD5:4E43672C12085D67557E0CF7A36917A3
SHA256:A0217C3E7E73E2D7E7E7B940512BAABD35EEA5062B2090FC246EA3390FEE2BCC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2136
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1528
Весь пакет документов 14.10.exe
GET
200
185.203.119.169:80
http://185.203.119.169/index.php?id=0&un=61646d696e&cn=555345522d5043
BG
executable
97.0 Kb
malicious
1528
Весь пакет документов 14.10.exe
GET
185.203.119.169:80
http://185.203.119.169/index.php?id=0&un=61646d696e&cn=555345522d5043
BG
malicious
1528
Весь пакет документов 14.10.exe
POST
185.203.119.169:80
http://185.203.119.169/g_38472341.php
BG
malicious
1528
Весь пакет документов 14.10.exe
POST
185.203.119.169:80
http://185.203.119.169/g_38472341.php
BG
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1528
Весь пакет документов 14.10.exe
185.203.119.169:80
BelCloud Hosting Corporation
BG
malicious
1528
Весь пакет документов 14.10.exe
34.206.50.228:443
api.blockcypher.com
Amazon.com, Inc.
US
malicious
1528
Весь пакет документов 14.10.exe
104.16.54.3:443
blockchain.info
Cloudflare Inc
US
shared
2136
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
blockchain.info
  • 104.16.54.3
  • 104.16.55.3
shared
api.blockcypher.com
  • 34.206.50.228
  • 54.164.0.55
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1528
Весь пакет документов 14.10.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
1528
Весь пакет документов 14.10.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
ET TROJAN Pony DLL Download M2
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
MALWARE [PTsecurity] Pony encrypted POST Data Request
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
MALWARE [PTsecurity] Pony encrypted POST Data Request
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
MALWARE [PTsecurity] Pony encrypted C2 Response
1528
Весь пакет документов 14.10.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Пакет док-ов 14.10.7z