File name: | Оплата за сентябрь.001 |
Full analysis: | https://app.any.run/tasks/e8e64bc0-60db-419e-afc3-c08e403eb670 |
Verdict: | Malicious activity |
Threats: | Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America. |
Analysis date: | September 19, 2019, 06:26:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | CB2834BE49E807798BB576D2BC772456 |
SHA1: | 928B035E07B0B25BD8246A1DED6415479E0D6206 |
SHA256: | F9D4E81152DA11CBA77D38B594B4F930B88FECF7FDA71D8DA94E3662FA7638F0 |
SSDEEP: | 1536:lLDR8fRZcEKeXabr2K0RiUWZeEISRU1ka1XA0mGAfZ:ZR8fncEEbJrnZeEISRU1vrTAR |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2724 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Оплата за сентябрь.001.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2684 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3221225477 | ||||
3276 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe" dfsr | C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe | Оплата за сентябрь.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3221225477 | ||||
3868 | cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe" | C:\Windows\system32\cmd.exe | — | Оплата за сентябрь.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2772 | ping 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2724 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe | executable | |
MD5:97092BEC12FB5938C70229BA2708E3E4 | SHA256:42B937924371D2FFB1168F5A739A86BF1A4820BD24DA79B0B8B34D133B88CA74 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3276 | Оплата за сентябрь.exe | POST | — | 172.105.69.5:80 | http://172.105.69.5/g_38472341.php | US | — | — | malicious |
3276 | Оплата за сентябрь.exe | GET | 200 | 172.105.69.5:80 | http://172.105.69.5/index.php?id=0&un=61646d696e&cn=555345522d5043 | US | executable | 97.0 Kb | malicious |
3276 | Оплата за сентябрь.exe | POST | — | 172.105.69.5:80 | http://172.105.69.5/g_38472341.php | US | — | — | malicious |
3276 | Оплата за сентябрь.exe | POST | — | 172.105.69.5:80 | http://172.105.69.5/g_38472341.php | US | — | — | malicious |
3276 | Оплата за сентябрь.exe | GET | 200 | 172.105.69.5:80 | http://172.105.69.5/index.php?id=0&un=61646d696e&cn=555345522d5043 | US | executable | 97.0 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3276 | Оплата за сентябрь.exe | 104.16.54.3:443 | blockchain.info | Cloudflare Inc | US | shared |
3276 | Оплата за сентябрь.exe | 172.105.69.5:80 | — | — | US | malicious |
3276 | Оплата за сентябрь.exe | 52.86.198.63:443 | api.blockcypher.com | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
blockchain.info |
| shared |
api.blockcypher.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3276 | Оплата за сентябрь.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3276 | Оплата за сентябрь.exe | A Network Trojan was detected | ET CURRENT_EVENTS WinHttpRequest Downloading EXE |
3276 | Оплата за сентябрь.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3276 | Оплата за сентябрь.exe | A Network Trojan was detected | ET TROJAN Pony DLL Download M2 |
3276 | Оплата за сентябрь.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
3276 | Оплата за сентябрь.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
3276 | Оплата за сентябрь.exe | A Network Trojan was detected | ET CURRENT_EVENTS WinHttpRequest Downloading EXE |
3276 | Оплата за сентябрь.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3276 | Оплата за сентябрь.exe | A Network Trojan was detected | ET TROJAN Pony DLL Download M2 |
3276 | Оплата за сентябрь.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |