Extracted

• • Target

    D7430680C994BC488209AA05C2E72DE9FFE5D85811140.exe

  • Size

    148KB

  • MD5

    d1f6d486c4afb6aca38ee45ed8ae4e3c

  • SHA1

    3343a6203db587c257252d5b493ea16d5ac93e13

  • SHA256

    d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758

  • SHA512

    634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d

  Score

  10^/10

  crypvaultponycollectiondiscoveryevasionransomwareratspywarestealersuricataupx

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

    ransomwarecrypvault

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE Fareit/Pony Downloader Checkin 2

    suricata: ET MALWARE Fareit/Pony Downloader Checkin 2

    suricata

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2