File name: | d788b5f8127e6f269f21712c78b68cf4 |
Full analysis: | https://app.any.run/tasks/a413131c-6147-41ba-8849-c84414dfd699 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | May 24, 2019, 01:30:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | D788B5F8127E6F269F21712C78B68CF4 |
SHA1: | 1A3850ED34220F2B4B9A8078F54FE51E56ABA0E8 |
SHA256: | 5A6A4840D5B3511EB7F2C153B5916047156BC523687FE66D14580C52BB3EFB42 |
SSDEEP: | 12288:lGroEWt5MxsZW/t0PbyMWhful/7TGus6/6W3uFSivAPWqcu9uTxvSOH:0roEWjMxKYOPbwu1fRl3vivScu8TsOH |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\d788b5f8127e6f269f21712c78b68cf4.ace" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3428 | "C:\Users\admin\Desktop\Order Confirmation OC-9873874634343.PDF.exe" | C:\Users\admin\Desktop\Order Confirmation OC-9873874634343.PDF.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2468 | "C:\Users\admin\AppData\Local\Temp\27555262\lss.exe" mln=jgc | C:\Users\admin\AppData\Local\Temp\27555262\lss.exe | — | Order Confirmation OC-9873874634343.PDF.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3380 | C:\Users\admin\AppData\Local\Temp\27555262\lss.exe C:\Users\admin\AppData\Local\Temp\27555262\PAVXL | C:\Users\admin\AppData\Local\Temp\27555262\lss.exe | lss.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
2336 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | lss.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.6.1055.0 built by: NETFXREL2 |
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\d788b5f8127e6f269f21712c78b68cf4.ace | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Count |
Value: 0 | |||
(PID) Process: | (2964) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Name |
Value: 542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B73202F2F7522712F26252072217125212E71252620262574202F75212F747123397674721717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2964.45598\Order Confirmation OC-9873874634343.PDF.exe | — | |
MD5:— | SHA256:— | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\bsp.ppt | text | |
MD5:F1B2A5610EAD79C3AC0DFAD58031AA2D | SHA256:4FBC46DED4AB8044A315AD45A15AD82C7DC11EFDA64ABD5AE3E1451FD0D08D28 | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\smw.dat | text | |
MD5:E16295B8906CDBCE3610E97C2CDFDFB3 | SHA256:E9866183F4DE0833E0569873769E079C0E8AEC253B10E4DFBC39CFF8D6B7CA86 | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\StructureConstants.pdf | text | |
MD5:50543BDC4B89515AD2D9292F5FD6070F | SHA256:1AFA71AE704F8F7D8322C5A854E2D62F1A53FCFEE3E1E35014FF6CBE0690F32A | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\vvr.icm | text | |
MD5:59AC759D5327F1EA521C68B766BEA773 | SHA256:A877BC7A874F3CE75047606359D7547F85F71509C196BC79F25BB1633B1E5D08 | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\mln=jgc | text | |
MD5:8659EA8D54955994B11630A841758C11 | SHA256:09733416DEB47397F53AAC72ED4F66DDDF637FF10968AA85A5FED8BEBD6B6480 | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\asl.bmp | text | |
MD5:DB46B459AC02A3828ED9BCF26A1BBD67 | SHA256:1C3A9A53294CBFF5995434D70914B5FC115E2D6B052E1723580232F06D625224 | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\oxi.ppt | text | |
MD5:8EEF455A8CEED3535FE8307ECE35B0A1 | SHA256:826DB5D65087F9B638E415ABF4B14BDEA9F6044D237DCBA2C9B09C25B79257CD | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\wvo.ico | text | |
MD5:A2B1E94EFEE1FC650C90FF0C88C4A3A9 | SHA256:7BB3A70909A9D0FAFF5ADE5F9CA1D70C5BAB1889E973260910DE0E6A699C3926 | |||
3428 | Order Confirmation OC-9873874634343.PDF.exe | C:\Users\admin\AppData\Local\Temp\27555262\ieb.pdf | text | |
MD5:0353CDB08E000D37BC32F42B5EFE2C5F | SHA256:3C8D962D1E5D02A29F0946510ABCC0489D94A9784A62181015D4939091227016 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2336 | RegSvcs.exe | GET | — | 185.171.24.173:80 | http://avrupaendustri.com/wp-admin/css/colors/blue/coreserver/shit.exe | TR | — | — | malicious |
2336 | RegSvcs.exe | GET | — | 185.171.24.173:80 | http://www.avrupaendustri.com/wp-admin/css/colors/blue/coreserver/shit.exe | TR | — | — | malicious |
2336 | RegSvcs.exe | POST | — | 185.171.24.173:80 | http://www.avrupaendustri.com/wp-admin/css/colors/blue/coreserver/gate.php | TR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2336 | RegSvcs.exe | 185.171.24.173:80 | www.avrupaendustri.com | Bursabil Konfeksiyon Tekstil Bilisim Teknoloji insaat Sanayi ve Ticaret Limited Sirketi | TR | malicious |
Domain | IP | Reputation |
---|---|---|
www.avrupaendustri.com |
| malicious |
avrupaendustri.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2336 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
2336 | RegSvcs.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
2336 | RegSvcs.exe | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. |
2336 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
2336 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
2336 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony Downloader Checkin |
2336 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 3 |
2336 | RegSvcs.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
2336 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
2336 | RegSvcs.exe | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. |