crypvault

General

Target

2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
Size

464KB
Sample

210426-nx8gmpflse
MD5

fe7bc3cd6512f31d48a58caf3e558fee
SHA1

5b2e6e541ea6f47e369291396a5d91564ece2eb8
SHA256

2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
SHA512

26e5d85f46afcf1434ccce85836014a5adf11728a609e79a8d19d2e6da6f84588eb4b650b5b5184b66bd255cb8d4b0a19bbfad65dc7f058928c7e5bc88f1730b

Score

10^/10

Malware Config

Targets

- Target
  
  2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
- Size
  
  464KB
- MD5
  
  fe7bc3cd6512f31d48a58caf3e558fee
- SHA1
  
  5b2e6e541ea6f47e369291396a5d91564ece2eb8
- SHA256
  
  2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
- SHA512
  
  26e5d85f46afcf1434ccce85836014a5adf11728a609e79a8d19d2e6da6f84588eb4b650b5b5184b66bd255cb8d4b0a19bbfad65dc7f058928c7e5bc88f1730b
Score

10^/10

crypvault pony discovery evasion ransomware rat spyware stealer upx
- CrypVault
  Ransomware family which makes encrypted files look like they have been quarantined by AV.
  ransomware crypvault
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2