crypvault

General

Target

AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe
Size

444KB
Sample

210508-2mcd3c4yze
MD5

fd442753c3895d868eed72f7854e2fba
SHA1

477dc12f213dd05a15b61207926b478d3a0d04c7
SHA256

aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
SHA512

1a7ff91196019abe9dfa93bfaca299ecd87693ef173560951b4d55f9d0c66355535bef724de26865205419e7638e57c762e332d7eff85187e9695f0a92e1d0c2

Score

10^/10

Malware Config

Targets

- Target
  
  AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe
- Size
  
  444KB
- MD5
  
  fd442753c3895d868eed72f7854e2fba
- SHA1
  
  477dc12f213dd05a15b61207926b478d3a0d04c7
- SHA256
  
  aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
- SHA512
  
  1a7ff91196019abe9dfa93bfaca299ecd87693ef173560951b4d55f9d0c66355535bef724de26865205419e7638e57c762e332d7eff85187e9695f0a92e1d0c2
Score

10^/10

crypvault pony discovery evasion ransomware rat spyware stealer upx
- CrypVault
  Ransomware family which makes encrypted files look like they have been quarantined by AV.
  ransomware crypvault
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2