File name: | Invoice_BPNIR00015564_pdf.gz |
Full analysis: | https://app.any.run/tasks/88d42c69-258d-4a6b-8406-2ae990f001a9 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | September 30, 2020, 09:11:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/gzip |
File info: | gzip compressed data, was "oo.exe", last modified: Wed Sep 30 03:03:53 2020, max speed, from FAT filesystem (MS-DOS, OS/2, NT) |
MD5: | AC4044E3518A6401DBCDCE9CD842301D |
SHA1: | 5148A33B7858348E852068D1E796905FC4B734DE |
SHA256: | 96284703D3C342FBF1D8937490DCEA83E3900AA993DD02C84679C8E7211FC89A |
SSDEEP: | 6144:Mk5jadcdXau6tNuPtq5eXMAuFydF4L+v9pgQ1ibFY5lrIv:kdcdKu6t41L8A4ydSC1pgsYFYLk |
.z/gz/gzip | | | GZipped data (100) |
---|
Compression: | Deflated |
---|---|
Flags: | FileName |
ModifyDate: | 2020:09:30 05:03:53+02:00 |
ExtraFlags: | Fastest Algorithm |
OperatingSystem: | FAT filesystem (MS-DOS, OS/2, NT/Win32) |
ArchivedFileName: | oo.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2132 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice_BPNIR00015564_pdf.gz" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2160 | "C:\Users\admin\Desktop\oo.exe" | C:\Users\admin\Desktop\oo.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2864 | "C:\Users\admin\Desktop\oo.exe" | C:\Users\admin\Desktop\oo.exe | oo.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2068 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1774500.bat" "C:\Users\admin\Desktop\oo.exe" " | C:\Windows\system32\cmd.exe | — | oo.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2132 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2132.46601\oo.exe | — | |
MD5:— | SHA256:— | |||
2864 | oo.exe | C:\Users\admin\AppData\Local\Temp\1774500.bat | text | |
MD5:3880EEB1C736D853EB13B44898B718AB | SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2864 | oo.exe | POST | — | 185.10.112.34:80 | http://alhamra.com.sa/v/panelnew/gate.php | SA | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2864 | oo.exe | 185.10.112.34:80 | alhamra.com.sa | Nour Communication Co.Ltd - Nournet | SA | malicious |
Domain | IP | Reputation |
---|---|---|
alhamra.com.sa |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2864 | oo.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
2864 | oo.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
2864 | oo.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
2864 | oo.exe | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. |
2864 | oo.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
2864 | oo.exe | A Network Trojan was detected | LOADER [PTsecurity] Fareit/Pony Downloader Checkin |
2864 | oo.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse |