Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Pony"
- * MalScore: 10.0
- * File Name: "Pony_649235066887f12b1074b4ddcd305c91.exe"
- * File Size: 92672
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "e656a87f9ee91482ad7ff860d2c5898b1b4a2405af7d5b6026952a387c29813e"
- * MD5: "649235066887f12b1074b4ddcd305c91"
- * SHA1: "7d5fba0411d54f954756494013ce54a74563f33b"
- * SHA512: "30f756748ec73e99cee19ac5cbd57689c2474f48c5011ca890f3ca70494b04d7d30b2f82fe6f58deba1a079c0ecfee4c506f9be5931e042a00d9c36c31cb7607"
- * CRC32: "45E57B4D"
- * SSDEEP: "1536:RYC88FhqqTDQ8pquJXBaxcem4tJjglVQChLYO7fixpTvMEIokzmaI:GC8snqURocem4HKAO7vEIUaI"
- * Process Execution:
- "tQpQ9ImfhEt6i3.exe",
- "cmd.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat\" \"C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe\""
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "tQpQ9ImfhEt6i3.exe, PID 2284"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "tQpQ9ImfhEt6i3.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat \"C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe\""
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "Description": "Exhibits behavior characteristic of Pony malware",
- "Details":
- "C2": "https://nztnyavroi.ru.net/server/Pony.exe"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "CAPE detected the Fareit malware family",
- "Details":
- "Description": "File has been identified by 58 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Generic.StealerA.6113F943"
- "FireEye": "Generic.mg.649235066887f12b"
- "CAT-QuickHeal": "Trojanpws.Tepfer.20303"
- "ALYac": "Generic.StealerA.6113F943"
- "Cylance": "Unsafe"
- "K7AntiVirus": "Password-Stealer ( 0040f4f51 )"
- "Alibaba": "TrojanPSW:Win32/Tepfer.2ef57dfe"
- "K7GW": "Password-Stealer ( 0040f4f51 )"
- "Cybereason": "malicious.66887f"
- "Arcabit": "Generic.StealerA.6113F943"
- "Invincea": "heuristic"
- "Baidu": "Win32.Trojan-PSW.Fareit.a"
- "F-Prot": "W32/Bloop.A.gen!Eldorado"
- "Symantec": "Infostealer!im"
- "APEX": "Malicious"
- "Avast": "Sf:Crypt-AS Trj"
- "ClamAV": "Win.Trojan.Fareit-403"
- "Kaspersky": "Trojan-PSW.Win32.Tepfer.gen"
- "BitDefender": "Generic.StealerA.6113F943"
- "NANO-Antivirus": "Trojan.Win32.Siggen.evgeyh"
- "Paloalto": "generic.ml"
- "Ad-Aware": "Generic.StealerA.6113F943"
- "Emsisoft": "Generic.StealerA.6113F943 (B)"
- "Comodo": "TrojWare.Win32.PWS.Fareit.GS@5t8zib"
- "F-Secure": "Trojan.TR/PSW.Fareit.iloen"
- "DrWeb": "Trojan.PWS.Stealer.1932"
- "TrendMicro": "BKDR_PONY.SM"
- "McAfee-GW-Edition": "BehavesLike.Win32.PWSZbot.nh"
- "Trapmine": "malicious.high.ml.score"
- "Sophos": "Mal/Pony-A"
- "SentinelOne": "DFI - Malicious PE"
- "Cyren": "W32/Bloop.A.gen!Eldorado"
- "Jiangmin": "Trojan/PSW.Tepfer.btny"
- "Avira": "TR/PSW.Fareit.iloen"
- "MAX": "malware (ai score=100)"
- "Antiy-AVL": "TrojanPSW/Win32.Tepfer"
- "Microsoft": "PWS:Win32/Fareit"
- "Endgame": "malicious (high confidence)"
- "AegisLab": "Trojan.Win32.Generic.mtwx"
- "ZoneAlarm": "Trojan-PSW.Win32.Tepfer.gen"
- "GData": "Win32.Trojan-Stealer.Zbot.AB"
- "AhnLab-V3": "Trojan/Win32.Tepfer.R93111"
- "Acronis": "suspicious"
- "McAfee": "PWS-Zbot.gen.ate"
- "TACHYON": "Trojan-PWS/W32.Tepfer.92672.R"
- "VBA32": "SScope.Malware-Cryptor.Ponik"
- "Malwarebytes": "Spyware.Pony"
- "ESET-NOD32": "a variant of Win32/PSW.Fareit.A"
- "TrendMicro-HouseCall": "BKDR_PONY.SM"
- "Rising": "Stealer.Fareit!1.B777 (CLASSIC)"
- "Yandex": "Trojan.PonyPass.Gen.LH"
- "Ikarus": "Trojan-Spy.Fareit"
- "eGambit": "Unsafe.AI_Score_99%"
- "Fortinet": "W32/Agent.NTM!tr"
- "AVG": "Sf:Crypt-AS Trj"
- "Panda": "Trj/Tepfer.D"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "Win32/Trojan.PSW.c13"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Trojan.Fareit-403, sha256:e656a87f9ee91482ad7ff860d2c5898b1b4a2405af7d5b6026952a387c29813e, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Program Files (x86)\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\CuteFTP\\sm.dat"
- "file": "C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\CuteFTP\\sm.dat"
- "file": "C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\ProgramData\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\ProgramData\\FlashFXP\\4\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Sites.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\ProgramData\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FlashFXP\\4\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\ProgramData\\FlashFXP\\3\\Quick.dat"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\sitemanager.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\sitemanager.xml"
- "file": "C:\\ProgramData\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Local\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "file": "C:\\Users\\user\\AppData\\Local\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\ProgramData\\VanDyke\\Config\\Sessions\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTP Explorer\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTP Explorer\\*.*"
- "file": "C:\\ProgramData\\FTP Explorer\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\SmartFTP\\*.*"
- "file": "C:\\ProgramData\\SmartFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\TurboFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\TurboFTP\\*.*"
- "file": "C:\\ProgramData\\TurboFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPRush\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTPRush\\*.*"
- "file": "C:\\ProgramData\\FTPRush\\*.*"
- "file": "C:\\ProgramData\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\LeapWare\\LeapFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\FTPGetter\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\*.*"
- "file": "C:\\ProgramData\\FTPGetter\\*.*"
- "file": "C:\\Users\\user\\AppData\\Local\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\ProgramData\\Estsoft\\ALFTP\\*.*"
- "file": "C:\\Program Files (x86)\\Common Files\\Ipswitch\\WS_FTP\\*.*"
- "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\Plugins\\FTP\\Hosts"
- "key": "HKEY_CURRENT_USER\\Software\\Far\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\Far2\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\Far Manager\\SavedDialogHistory\\FTPHost"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"
- "key": "HKEY_CURRENT_USER\\Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Windows Commander"
- "key": "HKEY_CURRENT_USER\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_LOCAL_MACHINE\\Software\\Ghisler\\Total Commander"
- "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Options"
- "key": "HKEY_CURRENT_USER\\Software\\BPFTP\\Bullet Proof FTP\\Main"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla"
- "key": "HKEY_CURRENT_USER\\Software\\FileZilla Client"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FileZilla Client"
- "key": "HKEY_CURRENT_USER\\Software\\TurboFTP"
- "key": "HKEY_LOCAL_MACHINE\\Software\\TurboFTP"
- "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP\\Options"
- "key": "HKEY_CURRENT_USER\\Software\\Sota\\FFFTP"
- "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\FTP Explorer\\Workspace\\MFCToolBar-224"
- "key": "HKEY_CURRENT_USER\\Software\\FTP Explorer\\Profiles"
- "key": "HKEY_LOCAL_MACHINE\\Software\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\LinasFTP\\Site Manager"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
- "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\FTPServers"
- "key": "HKEY_CURRENT_USER\\SOFTWARE\\Robo-FTP 3.7\\Scripts"
- "key": "HKEY_CURRENT_USER\\Software\\MAS-Soft\\FTPInfo\\Setup"
- "key": "HKEY_LOCAL_MACHINE\\Software\\SoftX.org\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\SoftX.org\\FTPClient\\Sites"
- "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Main"
- "key": "HKEY_CURRENT_USER\\Software\\BulletProof Software\\BulletProof FTP Client\\Options"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- "key": "HKEY_CURRENT_USER\\Identities\\0A258175-2D14-4D69-9955-E200F247250F\\Software\\Microsoft\\Internet Account Manager\\Accounts"
- * Started Service:
- * Mutexes:
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "\\??\\PIPE\\samr",
- "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\tQpQ9ImfhEt6i3.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\8967062.bat"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\WinRAR",
- "HKEY_CURRENT_USER\\Software\\WinRAR\\HWID"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "nztnyavroi.ru.net",
- "answers":
- * Domains:
- "ip": "",
- "domain": "nztnyavroi.ru.net"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement