File name: | 0001.doc |
Full analysis: | https://app.any.run/tasks/fdf66e00-95ca-496c-837c-7138429b5395 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | January 23, 2019, 08:21:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | BD54DD111DED5E955A3A6057705685CB |
SHA1: | 80E6F6D97D9357A20DECE232E31BA4D6E732434E |
SHA256: | C39B64791CAD7C73F5B3968C8482E77EAE90F18434250EB4D9087908AC952D15 |
SSDEEP: | 12288:x+JCUHtB4Rh5ErEzfqfoQDCqWh1RsnTMzw/ucqBlhZVo3mRqpJRRoo5g15gI131j:x+u2eT4ruPBj43HvRoo5g15gq |
.rtf | | | Rich Text Format (100) |
---|
Author: | wuyan |
---|---|
LastModifiedBy: | wuyan |
CreateDate: | 2019:01:03 16:14:00 |
ModifyDate: | 2019:01:03 16:34:00 |
RevisionNumber: | 3 |
TotalEditTime: | 1 minute |
Pages: | 1 |
Words: | 4 |
Characters: | 24 |
CharactersWithSpaces: | 27 |
InternalVersionNumber: | 57435 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3388 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0001.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2320 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3020 | cmd /c %tmp%\A.R | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3508 | C:\Users\admin\AppData\Local\Temp\A.R | C:\Users\admin\AppData\Local\Temp\A.R | cmd.exe | |
User: admin Company: SpaceX Integrity Level: MEDIUM Description: Blanking D3d10_map_write_no_overwrite Tffler Attitudes Exit code: 0 | ||||
2972 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1691906.bat" "C:\Users\admin\AppData\Local\Temp\A.R" " | C:\Windows\system32\cmd.exe | — | A.R |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR963B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$01.doc.rtf | pgc | |
MD5:7FAE1D3835A4E7284BF83D3B852C9505 | SHA256:A2141563C6F61BD8D9E6CBF5A24C2EA74FDD8AE89F0593BFC3465FE3CCE5FDF3 | |||
3388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\653775D7.emf | emf | |
MD5:F7961E44FE51CEEE06391905162E18E0 | SHA256:DCD5C765BCCFAC9339A8985357B391A3FAC1AE571AC0E5A971938573742F306D | |||
3388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\A.R | executable | |
MD5:3D4AB92CDC8EAD8E1941800124C6E018 | SHA256:07F856C8234F20D9AA4C439BBFBB27F0845DB72D0F0D0F56690E4A0E28D98EC0 | |||
3388 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:DA0EF51EC2928B8FD1B37B1075741641 | SHA256:ABB62B801FA9EFFC4FA58117EA539C0C36280316D1933EA6ADB8DD96CD9885F3 | |||
3508 | A.R | C:\Users\admin\AppData\Local\Temp\1691906.bat | text | |
MD5:3880EEB1C736D853EB13B44898B718AB | SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3508 | A.R | POST | 200 | 69.64.57.177:80 | http://spimports.com.br/age/panel/gate.php | US | binary | 20 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3508 | A.R | 69.64.57.177:80 | spimports.com.br | server4you Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
spimports.com.br |
| malicious |
myp0nysite.ru |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3508 | A.R | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
3508 | A.R | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
3508 | A.R | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. |
3508 | A.R | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3508 | A.R | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
3508 | A.R | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony Downloader Checkin |
3508 | A.R | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse |