File name:

cgbcjr.eml

Full analysis: https://app.any.run/tasks/ea2224c3-e32d-47a2-83b5-bbff4343e60b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 08:39:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
fareit
loader
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
MD5:

D4911F0691C586EDAE007F6E2C5AA9D8

SHA1:

364F4B8F51246C6F21CA590EE8333496026EC8ED

SHA256:

599ADACC234DCD97485E7BF261E4BC65F2BC52E841C98DE59D9A70B5A2B4E907

SSDEEP:

1536:HZHHlZwH2YmcDz2Q3XtLLaICIz4o6bm2B46aHyRVj1U7iE8okU8DaYbi2Zvzvnrg:H2WNcL3XebxqSVRmM1Di2ZbTNS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Весь пакет док-ов на оплату.exe (PID: 2372)
      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • PONY was detected

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Downloads executable files from the Internet

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Detected Pony/Fareit Trojan

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Downloads executable files from IP

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Connects to CnC server

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Actions looks like stealing of personal data

      • Весь пакет док-ов на оплату.exe (PID: 3132)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1504)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4064)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1504)

    • Searches for installed software

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Connects to server without host name

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Starts CMD.EXE for commands execution

      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Starts CMD.EXE for self-deleting

      • Весь пакет док-ов на оплату.exe (PID: 3132)

  • INFO

    • Application was crashed

      • Весь пакет док-ов на оплату.exe (PID: 2372)
      • Весь пакет док-ов на оплату.exe (PID: 3132)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start outlook.exe winrar.exe весь пакет док-ов на оплату.exe #PONY весь пакет док-ов на оплату.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
504ping 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1504"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\cgbcjr.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Modules
Images
c:\progra~1\micros~1\office14\outlook.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
2168cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\admin\AppData\Local\Temp\Rar$EXa4064.42990\Весь пакет док-ов на оплату.exe"C:\Windows\system32\cmd.exeВесь пакет док-ов на оплату.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2372"C:\Users\admin\AppData\Local\Temp\Rar$EXa4064.42990\Весь пакет док-ов на оплату.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa4064.42990\Весь пакет док-ов на оплату.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa4064.42990\весь пакет док-ов на оплату.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\certcli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
3132"C:\Users\admin\AppData\Local\Temp\Rar$EXa4064.42990\Весь пакет док-ов на оплату.exe" dfsrC:\Users\admin\AppData\Local\Temp\Rar$EXa4064.42990\Весь пакет док-ов на оплату.exe
Весь пакет док-ов на оплату.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa4064.42990\весь пакет док-ов на оплату.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\certcli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
4064"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\72NFUIGS\Весь пакет док-ов на оплату.001"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
2 381
Read events
1 771
Write events
591
Delete events
19

Modification events

(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1330512052
(PID) Process:(1504) OUTLOOK.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
Operation:writeName:UISnapshot
Value:
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
Executable files
1
Suspicious files
2
Text files
27
Unknown types
1

Dropped files

PID
Process
Filename
Type
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRB34D.tmp.cvr
MD5:
SHA256:
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\72NFUIGS\Весь пакет док-ов на оплату (2).001\:Zone.Identifier:$DATA
MD5:
SHA256:
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:
SHA256:
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\72NFUIGS\Весь пакет док-ов на оплату (2).001compressed
MD5:
SHA256:
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\72NFUIGS\Весь пакет док-ов на оплату.001compressed
MD5:
SHA256:
4064WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4064.42990\Весь пакет док-ов на оплату.exeexecutable
MD5:
SHA256:
1504OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:
SHA256:
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_7EF60ABDD1002D48ADCE4337D5EBFDED.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
1504OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_Calendar_2_3EFB4FE9CED5104FBDC442B35CF55F4C.datxml
MD5:B21ED3BD946332FF6EBC41A87776C6BB
SHA256:B1AAC4E817CD10670B785EF8E5523C4A883F44138E50486987DC73054A46F6F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
3
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1504
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3132
Весь пакет док-ов на оплату.exe
GET
200
185.203.119.169:80
http://185.203.119.169/index.php?id=0&un=61646d696e&cn=555345522d5043
BG
executable
97.0 Kb
malicious
3132
Весь пакет док-ов на оплату.exe
POST
185.203.119.169:80
http://185.203.119.169/g_38472341.php
BG
malicious
3132
Весь пакет док-ов на оплату.exe
GET
200
185.203.119.169:80
http://185.203.119.169/index.php?id=0&un=61646d696e&cn=555345522d5043
BG
executable
97.0 Kb
malicious
3132
Весь пакет док-ов на оплату.exe
POST
185.203.119.169:80
http://185.203.119.169/g_38472341.php
BG
malicious
3132
Весь пакет док-ов на оплату.exe
POST
185.203.119.169:80
http://185.203.119.169/g_38472341.php
BG
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3132
Весь пакет док-ов на оплату.exe
104.16.55.3:443
blockchain.info
Cloudflare Inc
US
shared
1504
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3132
Весь пакет док-ов на оплату.exe
185.203.119.169:80
BelCloud Hosting Corporation
BG
malicious
3132
Весь пакет док-ов на оплату.exe
54.164.0.55:443
api.blockcypher.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
blockchain.info
  • 104.16.55.3
  • 104.16.54.3
shared
api.blockcypher.com
  • 54.164.0.55
  • 34.206.50.228
malicious

Threats

PID
Process
Class
Message
3132
Весь пакет док-ов на оплату.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3132
Весь пакет док-ов на оплату.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
3132
Весь пакет док-ов на оплату.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3132
Весь пакет док-ов на оплату.exe
A Network Trojan was detected
ET TROJAN Pony DLL Download M2
3132
Весь пакет док-ов на оплату.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
3132
Весь пакет док-ов на оплату.exe
A Network Trojan was detected
MALWARE [PTsecurity] Pony encrypted POST Data Request
3132
Весь пакет док-ов на оплату.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
3132
Весь пакет док-ов на оплату.exe
A Network Trojan was detected
MALWARE [PTsecurity] Pony encrypted POST Data Request
3132
Весь пакет док-ов на оплату.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
3132
Весь пакет док-ов на оплату.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cgbcjr.eml