analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Счёт на оплату 09.09.2019.001

Full analysis: https://app.any.run/tasks/bbf6e4e1-ce22-43d3-ae9f-1756f307cfb2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 11, 2019, 08:08:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
loader
fareit
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

4EC03C267FE7A67094DC420260F3F910

SHA1:

DB8D228286299E57B9F2B4C44575B711233996EB

SHA256:

93C8945CFCC4FBAA249884B0D4A0AB565BAC14F3402CC96D3F293DE2ADD748E5

SSDEEP:

1536:hA/fHVRCTo0fM5iYRzmRAK0RLyP2SAQfzcUG17jRc:hAH4gYSztK0oP2S5fz2Xu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
      • Счёт на оплату 09.09.2019.exe (PID: 2828)
    • Connects to CnC server

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
    • Downloads executable files from IP

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
    • Downloads executable files from the Internet

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
    • Detected Pony/Fareit Trojan

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
    • Actions looks like stealing of personal data

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3000)
    • Application launched itself

      • Счёт на оплату 09.09.2019.exe (PID: 2828)
    • Connects to server without host name

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
    • Searches for installed software

      • Счёт на оплату 09.09.2019.exe (PID: 3424)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2292)
      • WinRAR.exe (PID: 3000)
      • cmd.exe (PID: 2552)
      • Счёт на оплату 09.09.2019.exe (PID: 2828)
      • cmd.exe (PID: 2220)
    • Application was crashed

      • Счёт на оплату 09.09.2019.exe (PID: 2828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs explorer.exe no specs winrar.exe cmd.exe cmd.exe счёт на оплату 09.09.2019.exe #PONY счёт на оплату 09.09.2019.exe

Process information

PID
CMD
Path
Indicators
Parent process
3560"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2292"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3000"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001.rar" "C:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2552"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2220"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2828"C:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001\Счёт на оплату 09.09.2019.exe" C:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001\Счёт на оплату 09.09.2019.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
3424"C:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001\Счёт на оплату 09.09.2019.exe" dfsrC:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001\Счёт на оплату 09.09.2019.exe
Счёт на оплату 09.09.2019.exe
User:
admin
Integrity Level:
HIGH
Total events
594
Read events
540
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3000WinRAR.exeC:\Users\admin\Downloads\Счёт на оплату 09.09.2019.001\Счёт на оплату 09.09.2019.exeexecutable
MD5:E2602314D7A1A540E8F3010197FEF73F
SHA256:02D123793EB5A2550714A9D17FE8087865C791A1A678642868F1EB9569C2E0C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
Счёт на оплату 09.09.2019.exe
POST
195.123.227.99:80
http://195.123.227.99/g_38472341.php
BG
malicious
3424
Счёт на оплату 09.09.2019.exe
GET
200
91.200.100.136:80
http://91.200.100.136/index.php?id=0&un=61646d696e&cn=555345522d5043&p=433a5c55736572735c61646d696e5c446f776e6c6f6164735c3f3f3f3f203f3f203f3f3f3f3f3f2030392e30392e323031392e3030315c3f3f3f3f203f3f203f3f3f3f3f3f2030392e30392e323031392e657865
unknown
executable
97.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.16.55.3:443
blockchain.info
Cloudflare Inc
US
shared
3424
Счёт на оплату 09.09.2019.exe
91.200.100.136:80
malicious
3424
Счёт на оплату 09.09.2019.exe
195.123.227.99:80
ITL Company
BG
malicious
3424
Счёт на оплату 09.09.2019.exe
54.209.25.54:443
api.blockcypher.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
blockchain.info
  • 104.16.55.3
  • 104.16.54.3
shared
api.blockcypher.com
  • 54.209.25.54
  • 52.86.198.63
whitelisted

Threats

PID
Process
Class
Message
3424
Счёт на оплату 09.09.2019.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3424
Счёт на оплату 09.09.2019.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
3424
Счёт на оплату 09.09.2019.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3424
Счёт на оплату 09.09.2019.exe
A Network Trojan was detected
ET TROJAN Pony DLL Download M2
3424
Счёт на оплату 09.09.2019.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
No debug info