File name: | evil_1.eml |
Full analysis: | https://app.any.run/tasks/a9de0c57-eb80-448b-84bd-44dbc6edac7c |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | April 15, 2019, 02:45:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with CRLF line terminators |
MD5: | D32257593D83880D5D037BDC76EBB260 |
SHA1: | 8CF4AFA45A1A88737EE025BCF35FCA070D0FB72D |
SHA256: | 85BADD4A140729C66064BC1D21F6822E0DBF592E203EC91C8DBA2447D42DC7E4 |
SSDEEP: | 6144:87PWcTFUFnJ5wJbfI6/BBh5kGw6YhVdPOF0EDSous5fbLKXNSNr25rM:E6J5ikafkLpHASouUnKXs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2680 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\evil_1.eml" | C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
2856 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\G3C0XS49\REQUEST FOR INVITATION TO QUOTE pdf.arj" | C:\Program Files\WinRAR\WinRAR.exe | OUTLOOK.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3268 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2856.39794\REQUEST FOR INVITATION TO QUOTE.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2856.39794\REQUEST FOR INVITATION TO QUOTE.exe | — | WinRAR.exe |
User: admin Company: Umawa Integrity Level: MEDIUM Exit code: 0 Version: 1.08.0002 | ||||
4028 | C:\Users\admin\AppData\Local\Temp\Rar$EXa2856.39794\REQUEST FOR INVITATION TO QUOTE.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2856.39794\REQUEST FOR INVITATION TO QUOTE.exe | REQUEST FOR INVITATION TO QUOTE.exe | |
User: admin Company: Umawa Integrity Level: MEDIUM Exit code: 0 Version: 1.08.0002 | ||||
2804 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1155453.bat" "C:\Users\admin\AppData\Local\Temp\Rar$EXa2856.39794\REQUEST FOR INVITATION TO QUOTE.exe" " | C:\Windows\system32\cmd.exe | — | REQUEST FOR INVITATION TO QUOTE.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR62D3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmp6506.tmp | — | |
MD5:— | SHA256:— | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\G3C0XS49\REQUEST FOR INVITATION TO QUOTE pdf (2).arj\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2680 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp | — | |
MD5:— | SHA256:— | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6DCDAA74-462E-4A21-BF2F-E042BF891784}.tmp | — | |
MD5:— | SHA256:— | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{72C04E22-2B38-406B-8632-1D6326B74CA8}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:7D80C0A7E3849818695EAF4989186A3C | SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597 | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:33BAA077B4FB5D4AADDEB7F1F52B81FE | SHA256:0970E695630545BF973C381F24304792698A9709EB95ED1F6646AC63E9E69A08 | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.srs | srs | |
MD5:244908F7B1BAD5FAD33974C4C9136AA4 | SHA256:80B84F0B3AC75EF3790FE9610DD60CE25655C7BE21444BC8201BB37D29883C66 | |||
2680 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:48DD6CAE43CE26B992C35799FCD76898 | SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A | |||
2680 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | pst | |
MD5:60D6C65D6DC42E48E8ACFFE63757B451 | SHA256:B9BD2C8D773143465815E31BB9139FB9761698A25DFBF49559E698A11F5A170A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2680 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2680 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
bravestking.borsodchern.us |
| malicious |