File name: | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe |
Full analysis: | https://app.any.run/tasks/890037ff-e99b-462a-8f09-3e85ab899f73 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | November 08, 2018, 16:12:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive |
MD5: | 0A1607169843DD56B26686FC0B180D04 |
SHA1: | 37C8A45797E686E8D1593BDB64CD3E19B38F610B |
SHA256: | 8E97F8E8283460CF5F58B37D291502E9E529836CADDFF2FE507B78484C44B8F8 |
SSDEEP: | 12288:OK2mhAMJ/cPlbVwPCkZZMiBKiaWpz1vulrreJA+LmbdjY07+bn1hf3rU6OGPATC7:f2O/GlbHk0SAMBvuwmxhKbH3rUO46GfG |
.exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
---|---|---|
.exe | | | Win64 Executable (generic) (31.7) |
.scr | | | Windows screen saver (15) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xac87 |
UninitializedDataSize: | - |
InitializedDataSize: | 58880 |
CodeSize: | 74752 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2012:06:09 15:19:49+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Jun-2012 13:19:49 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 09-Jun-2012 13:19:49 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001231E | 0x00012400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.55555 |
.rdata | 0x00014000 | 0x00001D15 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.99401 |
.data | 0x00016000 | 0x00017724 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.54914 |
.CRT | 0x0002E000 | 0x00000020 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.394141 |
.rsrc | 0x0002F000 | 0x0000C2C0 | 0x0000C400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.45727 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20816 | 1464 | Latin 1 / Western European | English - United States | RT_MANIFEST |
7 | 3.24143 | 556 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.26996 | 974 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.04375 | 530 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 3.16254 | 776 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.06352 | 380 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 2.33959 | 102 | Latin 1 / Western European | English - United States | RT_STRING |
100 | 1.91924 | 20 | Latin 1 / Western European | Process Default Language | RT_GROUP_ICON |
101 | 4.19099 | 2998 | Latin 1 / Western European | English - United States | RT_BITMAP |
ASKNEXTVOL | 3.42597 | 646 | Latin 1 / Western European | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3832 | "C:\Users\admin\AppData\Local\Temp\8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe" | C:\Users\admin\AppData\Local\Temp\8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3440 | "C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe" jib=xce | C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe | — | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
1696 | C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe C:\Users\admin\AppData\Local\Temp\92255107\KZLRV | C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe | — | hhl.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3708 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | hhl.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 | ||||
2580 | cmd /c ""C:\Users\admin\AppData\Local\Temp\6142828.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" " | C:\Windows\system32\cmd.exe | — | RegSvcs.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\nfb.jpg | text | |
MD5:D9229C46969501683E84264DFC900599 | SHA256:1741B7CFE956ABA10A735941A792663CEB20C6A15AD1CD1C0DD793ABD91B86B4 | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\slk.pdf | text | |
MD5:D867D0455EC86706F27044F81569C66C | SHA256:49CB20241344D86F47456ADE264339600ECDE5C3B449082677B5FB656307CBC7 | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\qcm.mp4 | text | |
MD5:54916A157A111880A26C2A85E3A72637 | SHA256:6D030ADD5EBCBF4233EDDF768AE92E359DCCC53DA36168F46D1CF22D0968096C | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\kdp.ico | text | |
MD5:916A9321D0CB0287CC74FF106BC24F5B | SHA256:6B988D64F82DECF8F47CEEA9E2C332087F794FCA5C969AB9B1D51B05957231E0 | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\gri.mp4 | text | |
MD5:A6404D0E719A5C50A3A12CD1AAE3F572 | SHA256:72A0BF9F348EA96902340E99C742D63D9AC9F579177B32AD1F7EB88C9B34C6DC | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\lch.bmp | text | |
MD5:D14465350C17A331ECB38EF3F33F6802 | SHA256:EF4265A353430F19CD9CD524A552EBAB58F09D6223A7ECA525F1558E8803C738 | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\vci.docx | text | |
MD5:C2069426B3CF8D8EF02BBDDFDF8A0CA1 | SHA256:1A31F9DBA0A08B661157B54D7D5020D598EC853242F5D220968090DAC23EAA33 | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\jib=xce | text | |
MD5:964A0A2BBE3A33EA3845207AAC054ACA | SHA256:5C2EBA2ADF376D4927073B241DEB044ABF3B17F9EA279BD456C11A4C841B8DC5 | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\dir.jpg | text | |
MD5:E7397F7D3FBDF7E965D6905CB11B4A53 | SHA256:4292B284D468E23F5A5237228FCC6757D5E4E609FBC43970407D5FD38D422114 | |||
3832 | 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe | C:\Users\admin\AppData\Local\Temp\92255107\bgv.docx | text | |
MD5:3D9066ADCF210A54644C67EE857F3860 | SHA256:109A945493AEE126CD4151C9F09ECBD140FB44BF3FE3CEFF1102CC18F10DECE2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3708 | RegSvcs.exe | POST | — | 111.90.144.65:80 | http://aveiro-maroc.cf/ser/gate.php | MY | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3708 | RegSvcs.exe | 111.90.144.65:80 | aveiro-maroc.cf | Shinjiru Technology Sdn Bhd | MY | malicious |
Domain | IP | Reputation |
---|---|---|
aveiro-maroc.cf |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |
3708 | RegSvcs.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
3708 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3708 | RegSvcs.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.cf Domain |
3708 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
3708 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
3708 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse |