File name: | ltedwbfb.exe |
Full analysis: | https://app.any.run/tasks/a0586350-b09f-4dad-8391-161244337363 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | December 06, 2018, 13:50:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | DB4B4A6E729D1214AD33688F4167FFFC |
SHA1: | CA05C6F232F14433BB2A9DC63EF4B49D4CDBB2EC |
SHA256: | E1B4DC1A419E73795E791969E0A11770E52ADB5ED58414B51BA9E16E46CE906B |
SSDEEP: | 1536:oQGb9bsyt+6RT2np7NPE+qpiGCkUR9OJbpsuiSv0+UxdAbLmGbwKimXgXiWptNR9:mTWdE+GI9OVpKS8TxdALmaw6QdV |
.dll | | | Win32 Dynamic Link Library (generic) (38.3) |
---|---|---|
.exe | | | Win32 Executable (generic) (26.2) |
.exe | | | Win16/32 Executable Delphi generic (12) |
.exe | | | Generic Win/DOS Executable (11.6) |
.exe | | | DOS Executable Generic (11.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1000 |
UninitializedDataSize: | - |
InitializedDataSize: | 4096 |
CodeSize: | 128000 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2014:08:04 13:46:11+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 04-Aug-2014 11:46:11 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 04-Aug-2014 11:46:11 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.start | 0x00001000 | 0x0001F3A8 | 0x0001F400 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.68229 |
.mail | 0x00021000 | 0x00000546 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.44777 |
.odata | 0x00022000 | 0x0001A000 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.89041 |
.rsrc | 0x0003C000 | 0x0000044A | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE | 5.75036 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 7.54209 | 714 | UNKNOWN | English - United States | RT_DIALOG |
clusapi.dll |
kernel32.dll |
shell32.dll |
untfs.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3080 | "C:\Users\admin\AppData\Local\Temp\ltedwbfb.exe" | C:\Users\admin\AppData\Local\Temp\ltedwbfb.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3832 | C:\Users\admin\AppData\Local\Temp\sfseunjd.exe | C:\Users\admin\AppData\Local\Temp\sfseunjd.exe | ltedwbfb.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2468 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe | sfseunjd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2564 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe | sfseunjd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3564 | "C:\Windows\system32\sdbinst.exe" /q "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb" | C:\Windows\system32\sdbinst.exe | — | sfseunjd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Compatibility Database Installer Exit code: 3221226540 Version: 6.0.7600.16385 (win7_rtm.090713-1255) | ||||
2480 | "C:\Windows\system32\sdbinst.exe" /q "C:\Users\admin\AppData\Local\Temp\\..\..\LocalLow\com.admin.sdb" | C:\Windows\system32\sdbinst.exe | sfseunjd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Application Compatibility Database Installer Exit code: 0 Version: 6.0.7600.16385 (win7_rtm.090713-1255) | ||||
3184 | "C:\Windows\system32\iscsicli.exe" | C:\Windows\system32\iscsicli.exe | — | sfseunjd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: iSCSI Discovery tool Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3276 | "C:\Windows\system32\iscsicli.exe" | C:\Windows\system32\iscsicli.exe | sfseunjd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: iSCSI Discovery tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2332 | cmd /c C:\Users\admin\AppData\Local\Temp\..\..\LocalLow\cmd.admin.bat | C:\Windows\system32\cmd.exe | — | iscsicli.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2940 | "C:\Users\admin\AppData\Local\Temp\sfseunjd.exe" | C:\Users\admin\AppData\Local\Temp\sfseunjd.exe | cmd.exe | |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
2468 | svchost.exe | C:\Users\admin\AppData\Local\bdjmdbtj\jjbcnbda.exe | — | |
MD5:— | SHA256:— | |||
2564 | svchost.exe | C:\Users\admin\AppData\Local\Temp\~TMBE23.tmp | — | |
MD5:— | SHA256:— | |||
2468 | svchost.exe | C:\Users\admin\AppData\Local\dgjcifgy.log | binary | |
MD5:617DD239202F505A2D3D166F88256879 | SHA256:E104872D05573B4BF5DB85ACD802AF1F15B173DC5C139EE5AEA97DCD54D9758D | |||
2468 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jjbcnbda.exe | executable | |
MD5:DB4B4A6E729D1214AD33688F4167FFFC | SHA256:E1B4DC1A419E73795E791969E0A11770E52ADB5ED58414B51BA9E16E46CE906B | |||
2468 | svchost.exe | C:\ProgramData\qkoagtka.log | text | |
MD5:0CFBF1F563D8566D1E80E041303374BE | SHA256:3F54059BA10CF9171491AEE9104FEA54D95889E6E534758DA29A8D226CED3617 | |||
2564 | svchost.exe | C:\Users\admin\AppData\Local\ewnpecny.log | binary | |
MD5:50F8F6F74962F8209F9D9E1C63839BCD | SHA256:DAEE85AB902BB76E2EA0835DA175658E4AACBE4A19AE26B6ACC031192028E871 | |||
3080 | ltedwbfb.exe | C:\Users\admin\AppData\Local\Temp\sfseunjd.exe | executable | |
MD5:DB4B4A6E729D1214AD33688F4167FFFC | SHA256:E1B4DC1A419E73795E791969E0A11770E52ADB5ED58414B51BA9E16E46CE906B | |||
2564 | svchost.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cookies.txt | text | |
MD5:D088657354C964147EC1158FD28AF14E | SHA256:E1B529CCB356269DD3CE7946AD6E18DF46AA4E37410352EAF061529989ED5A57 | |||
2564 | svchost.exe | C:\Users\admin\AppData\Local\mfpmqwom.log | binary | |
MD5:8CA81D566A4CE2E944467C9C33830BA0 | SHA256:131D460F88B1E8D43DCF652B44C7D8746D26649D95408244088AC5ED0FE0B37A | |||
2564 | svchost.exe | C:\Users\admin\AppData\Local\kmypexkj.log | binary | |
MD5:102E6974FA1965FE236E523929DAA686 | SHA256:9E4BD3EED2C762E6C06D2E6D159EB2CADBCC6B5DF0C7DA5A1A95265F7AF74ADF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2468 | svchost.exe | 195.123.214.150:443 | ndomainhifreeluck.com | ITL Company | LV | malicious |
2468 | svchost.exe | 216.58.215.238:80 | google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
ndomainhifreeluck.com |
| malicious |
best-torrentsx.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2468 | svchost.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
Process | Message |
---|---|
sfseunjd.exe | CheckBypassed ok |
svchost.exe | Started |
svchost.exe | [VNCDLL][:2564][ImgMapSection:30] A section of 0 bytes mapped to the target process at 0x01D70000
|
svchost.exe | [VNCDLL][:2564][ImgMapSection:30] A section of 0 bytes mapped to the target process at 0x004A0000
|