File name: | TNT_Ref25-08678762134_pdf.gz_AC2C568B8F931CA35EC3136B92C3C1DC.zip |
Full analysis: | https://app.any.run/tasks/4c4de072-cace-43c2-8b47-f34dc9ad8c0a |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | January 11, 2019, 10:30:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B7EE951F197E30FAEC48AEC1D866CA65 |
SHA1: | 1D6A8B2E9B851023087A80ECA8E60A2EA5C17B25 |
SHA256: | CA7A0B74ED99C55254E8BBDBD4BAF54D2D078ACA099B67980E6455A765323D71 |
SSDEEP: | 3072:7RBHFDw4SFnDJumNJD80qQT0nkZu74U7IjPhUOBCt8z19oYyI/Xramyv7Ac:1BlcRJ5J40qQT/Q74U7WpC+t9Damy0c |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | TNT_Ref25-08678762134_pdf.gz |
---|---|
ZipUncompressedSize: | 195412 |
ZipCompressedSize: | 195318 |
ZipCRC: | 0x99ad50c5 |
ZipModifyDate: | 2019:01:11 09:51:20 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TNT_Ref25-08678762134_pdf.gz_AC2C568B8F931CA35EC3136B92C3C1DC.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3652 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\TNT_Ref25-08678762134_pdf.gz" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2756 | "C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe" | C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe | — | explorer.exe |
User: admin Company: Marched5 Integrity Level: MEDIUM Description: Grimbeorn7 Exit code: 0 Version: 3.08.0004 | ||||
2668 | C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe" | C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe | TNT Ref25-08678762134_pdf.exe | |
User: admin Company: Marched5 Integrity Level: MEDIUM Description: Grimbeorn7 Exit code: 0 Version: 3.08.0004 | ||||
3328 | cmd /c ""C:\Users\admin\AppData\Local\Temp\1842468.bat" "C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe" " | C:\Windows\system32\cmd.exe | — | TNT Ref25-08678762134_pdf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\TNT_Ref25-08678762134_pdf.gz_AC2C568B8F931CA35EC3136B92C3C1DC.zip | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2864.14906\TNT_Ref25-08678762134_pdf.gz | compressed | |
MD5:AC2C568B8F931CA35EC3136B92C3C1DC | SHA256:2EBF495B042AB806AF0C776552F3FF62C6B260BBF07667BB7FF4A52DA22CEE1F | |||
3652 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3652.16436\TNT Ref25-08678762134_pdf.exe | executable | |
MD5:8EDEA4671DFFB8D17D65F4B5AB165060 | SHA256:735FCD68EC2C6DDD01A33F2FB2DFEEEDA2C15E7E6B2AE0957E4FDDFC00F71F59 | |||
2756 | TNT Ref25-08678762134_pdf.exe | C:\Users\admin\AppData\Local\Temp\~DF0F18F5702FD7667C.TMP | binary | |
MD5:8EECDF8C5C71C01DD9EF43F4C78EA32C | SHA256:E34833A82A5FB573AEFBA4E1B8CA68FDB85C0F99F4DA3E9903BB9E723316E42F | |||
2668 | TNT Ref25-08678762134_pdf.exe | C:\Users\admin\AppData\Local\Temp\1842468.bat | text | |
MD5:3880EEB1C736D853EB13B44898B718AB | SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2668 | TNT Ref25-08678762134_pdf.exe | POST | — | 206.189.132.252:80 | http://lyricsbright.com/onyii/panelnew/gate.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2668 | TNT Ref25-08678762134_pdf.exe | 206.189.132.252:80 | lyricsbright.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
lyricsbright.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2668 | TNT Ref25-08678762134_pdf.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
2668 | TNT Ref25-08678762134_pdf.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
2668 | TNT Ref25-08678762134_pdf.exe | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. |
2668 | TNT Ref25-08678762134_pdf.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
2668 | TNT Ref25-08678762134_pdf.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
2668 | TNT Ref25-08678762134_pdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony Downloader Checkin |
2668 | TNT Ref25-08678762134_pdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse |