File name: | Swift Copy.gz |
Full analysis: | https://app.any.run/tasks/bde810da-3efb-4ceb-bc01-e20e770b5e44 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | April 15, 2019, 14:15:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | DFE1E69F97BEA0D3CA7140FAB2BFA553 |
SHA1: | EA59C0BC9D4C3441FDA2829F87957FB6F13C8917 |
SHA256: | A565A1C5748808FECF9F692B0EEF5F3EC47A37A8A973DCE43EF694769E4AD0F8 |
SSDEEP: | 3072:RkAwMmEquxSKs8XWiO3/HMgzBrqLvX3pHsMs1LvEVVAFfliY:RkWFqhrHTzBGLnpM11AVVAFMY |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3848 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Swift Copy.gz.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2116 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa3848.27945\Swift Copy.bat" | C:\Users\admin\AppData\Local\Temp\Rar$DIa3848.27945\Swift Copy.bat | — | WinRAR.exe |
User: admin Company: eggyhot Integrity Level: MEDIUM Exit code: 0 Version: 1.05.0001 | ||||
2068 | C:\Users\admin\AppData\Local\Temp\Rar$DIa3848.27945\Swift Copy.bat" | C:\Users\admin\AppData\Local\Temp\Rar$DIa3848.27945\Swift Copy.bat | Swift Copy.bat | |
User: admin Company: eggyhot Integrity Level: MEDIUM Exit code: 0 Version: 1.05.0001 | ||||
2324 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1295515.bat" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3848.27945\Swift Copy.bat" " | C:\Windows\system32\cmd.exe | — | Swift Copy.bat |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Swift Copy.gz.rar | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\acppage.dll,-6002 |
Value: Windows Batch File | |||
(PID) Process: | (3848) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3848 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3848.27945\Swift Copy.bat | executable | |
MD5:49E578B33B52E0FF0347340F360DC2F5 | SHA256:A748982219910CA0B9ED9509EADB85098405B2DFF57D438403BCCB9F7868D2C4 | |||
2068 | Swift Copy.bat | C:\Users\admin\AppData\Local\Temp\1295515.bat | text | |
MD5:3880EEB1C736D853EB13B44898B718AB | SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2068 | Swift Copy.bat | GET | 404 | 49.51.155.12:80 | http://vman23.com/smt/smt.exe | CN | html | 209 b | malicious |
2068 | Swift Copy.bat | POST | 200 | 49.51.155.12:80 | http://vman23.com/smt/gate.php | CN | binary | 20 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2068 | Swift Copy.bat | 49.51.155.12:80 | vman23.com | — | CN | malicious |
Domain | IP | Reputation |
---|---|---|
vman23.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2068 | Swift Copy.bat | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
2068 | Swift Copy.bat | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
2068 | Swift Copy.bat | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. |
2068 | Swift Copy.bat | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
2068 | Swift Copy.bat | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
2068 | Swift Copy.bat | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony Downloader Checkin |
2068 | Swift Copy.bat | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse |
2068 | Swift Copy.bat | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 3 |
2068 | Swift Copy.bat | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
2068 | Swift Copy.bat | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |