analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TNT_Ref25-08678762134_pdf.gz_AC2C568B8F931CA35EC3136B92C3C1DC.zip

Full analysis: https://app.any.run/tasks/4c4de072-cace-43c2-8b47-f34dc9ad8c0a
Verdict: Malicious activity
Threats:

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Analysis date: January 11, 2019, 10:30:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
fareit
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B7EE951F197E30FAEC48AEC1D866CA65

SHA1:

1D6A8B2E9B851023087A80ECA8E60A2EA5C17B25

SHA256:

CA7A0B74ED99C55254E8BBDBD4BAF54D2D078ACA099B67980E6455A765323D71

SSDEEP:

3072:7RBHFDw4SFnDJumNJD80qQT0nkZu74U7IjPhUOBCt8z19oYyI/Xramyv7Ac:1BlcRJ5J40qQT/Q74U7WpC+t9Damy0c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TNT Ref25-08678762134_pdf.exe (PID: 2756)
      • TNT Ref25-08678762134_pdf.exe (PID: 2668)
    • Connects to CnC server

      • TNT Ref25-08678762134_pdf.exe (PID: 2668)
    • Detected Pony/Fareit Trojan

      • TNT Ref25-08678762134_pdf.exe (PID: 2668)
    • Actions looks like stealing of personal data

      • TNT Ref25-08678762134_pdf.exe (PID: 2668)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3652)
    • Application launched itself

      • TNT Ref25-08678762134_pdf.exe (PID: 2756)
    • Starts CMD.EXE for commands execution

      • TNT Ref25-08678762134_pdf.exe (PID: 2668)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: TNT_Ref25-08678762134_pdf.gz
ZipUncompressedSize: 195412
ZipCompressedSize: 195318
ZipCRC: 0x99ad50c5
ZipModifyDate: 2019:01:11 09:51:20
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe tnt ref25-08678762134_pdf.exe no specs #PONY tnt ref25-08678762134_pdf.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TNT_Ref25-08678762134_pdf.gz_AC2C568B8F931CA35EC3136B92C3C1DC.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3652"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\TNT_Ref25-08678762134_pdf.gz"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2756"C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe" C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exeexplorer.exe
User:
admin
Company:
Marched5
Integrity Level:
MEDIUM
Description:
Grimbeorn7
Exit code:
0
Version:
3.08.0004
2668C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe" C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe
TNT Ref25-08678762134_pdf.exe
User:
admin
Company:
Marched5
Integrity Level:
MEDIUM
Description:
Grimbeorn7
Exit code:
0
Version:
3.08.0004
3328cmd /c ""C:\Users\admin\AppData\Local\Temp\1842468.bat" "C:\Users\admin\Desktop\TNT Ref25-08678762134_pdf.exe" "C:\Windows\system32\cmd.exeTNT Ref25-08678762134_pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 152
Read events
1 105
Write events
47
Delete events
0

Modification events

(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2864) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\TNT_Ref25-08678762134_pdf.gz_AC2C568B8F931CA35EC3136B92C3C1DC.zip
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
1
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2864.14906\TNT_Ref25-08678762134_pdf.gzcompressed
MD5:AC2C568B8F931CA35EC3136B92C3C1DC
SHA256:2EBF495B042AB806AF0C776552F3FF62C6B260BBF07667BB7FF4A52DA22CEE1F
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3652.16436\TNT Ref25-08678762134_pdf.exeexecutable
MD5:8EDEA4671DFFB8D17D65F4B5AB165060
SHA256:735FCD68EC2C6DDD01A33F2FB2DFEEEDA2C15E7E6B2AE0957E4FDDFC00F71F59
2756TNT Ref25-08678762134_pdf.exeC:\Users\admin\AppData\Local\Temp\~DF0F18F5702FD7667C.TMPbinary
MD5:8EECDF8C5C71C01DD9EF43F4C78EA32C
SHA256:E34833A82A5FB573AEFBA4E1B8CA68FDB85C0F99F4DA3E9903BB9E723316E42F
2668TNT Ref25-08678762134_pdf.exeC:\Users\admin\AppData\Local\Temp\1842468.battext
MD5:3880EEB1C736D853EB13B44898B718AB
SHA256:936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2668
TNT Ref25-08678762134_pdf.exe
POST
206.189.132.252:80
http://lyricsbright.com/onyii/panelnew/gate.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2668
TNT Ref25-08678762134_pdf.exe
206.189.132.252:80
lyricsbright.com
US
malicious

DNS requests

Domain
IP
Reputation
lyricsbright.com
  • 206.189.132.252
malicious

Threats

PID
Process
Class
Message
2668
TNT Ref25-08678762134_pdf.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
2668
TNT Ref25-08678762134_pdf.exe
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
2668
TNT Ref25-08678762134_pdf.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
2668
TNT Ref25-08678762134_pdf.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
2668
TNT Ref25-08678762134_pdf.exe
A Network Trojan was detected
ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
2668
TNT Ref25-08678762134_pdf.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony Downloader Checkin
2668
TNT Ref25-08678762134_pdf.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse
1 ETPRO signatures available at the full report
No debug info