analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice_BPNIR00015564_pdf.gz

Full analysis: https://app.any.run/tasks/88d42c69-258d-4a6b-8406-2ae990f001a9
Verdict: Malicious activity
Threats:

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Analysis date: September 30, 2020, 09:11:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
fareit
stealer
opendir
Indicators:
MIME: application/gzip
File info: gzip compressed data, was "oo.exe", last modified: Wed Sep 30 03:03:53 2020, max speed, from FAT filesystem (MS-DOS, OS/2, NT)
MD5:

AC4044E3518A6401DBCDCE9CD842301D

SHA1:

5148A33B7858348E852068D1E796905FC4B734DE

SHA256:

96284703D3C342FBF1D8937490DCEA83E3900AA993DD02C84679C8E7211FC89A

SSDEEP:

6144:Mk5jadcdXau6tNuPtq5eXMAuFydF4L+v9pgQ1ibFY5lrIv:kdcdKu6t41L8A4ydSC1pgsYFYLk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • oo.exe (PID: 2160)
      • oo.exe (PID: 2864)
    • Detected Pony/Fareit Trojan

      • oo.exe (PID: 2864)
    • PONY was detected

      • oo.exe (PID: 2864)
    • Connects to CnC server

      • oo.exe (PID: 2864)
    • Actions looks like stealing of personal data

      • oo.exe (PID: 2864)
  • SUSPICIOUS

    • Searches for installed software

      • oo.exe (PID: 2864)
    • Application launched itself

      • oo.exe (PID: 2160)
    • Starts CMD.EXE for commands execution

      • oo.exe (PID: 2864)
  • INFO

    • Manual execution by user

      • oo.exe (PID: 2160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

Compression: Deflated
Flags: FileName
ModifyDate: 2020:09:30 05:03:53+02:00
ExtraFlags: Fastest Algorithm
OperatingSystem: FAT filesystem (MS-DOS, OS/2, NT/Win32)
ArchivedFileName: oo.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs oo.exe #PONY oo.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2132"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice_BPNIR00015564_pdf.gz"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2160"C:\Users\admin\Desktop\oo.exe" C:\Users\admin\Desktop\oo.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2864"C:\Users\admin\Desktop\oo.exe" C:\Users\admin\Desktop\oo.exe
oo.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2068cmd /c ""C:\Users\admin\AppData\Local\Temp\1774500.bat" "C:\Users\admin\Desktop\oo.exe" "C:\Windows\system32\cmd.exeoo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
815
Read events
787
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2132WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2132.46601\oo.exe
MD5:
SHA256:
2864oo.exeC:\Users\admin\AppData\Local\Temp\1774500.battext
MD5:3880EEB1C736D853EB13B44898B718AB
SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2864
oo.exe
POST
185.10.112.34:80
http://alhamra.com.sa/v/panelnew/gate.php
SA
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2864
oo.exe
185.10.112.34:80
alhamra.com.sa
Nour Communication Co.Ltd - Nournet
SA
malicious

DNS requests

Domain
IP
Reputation
alhamra.com.sa
  • 185.10.112.34
malicious

Threats

PID
Process
Class
Message
2864
oo.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
2864
oo.exe
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
2864
oo.exe
A Network Trojan was detected
ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
2864
oo.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
2864
oo.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
2864
oo.exe
A Network Trojan was detected
LOADER [PTsecurity] Fareit/Pony Downloader Checkin
2864
oo.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse
2 ETPRO signatures available at the full report
No debug info