Extracted

• • Target

    5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe

  • Size

    218KB

  • MD5

    eb6009f8d970345d2bda321bda243b06

  • SHA1

    0d77001fd776db124b2e01abfef61720d3708763

  • SHA256

    5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04

  • SHA512

    01fac880e92ead6fe3127a680549b4ecae013a0bab95c086b4c1399cfc892deee16af6dddf2edd8d20f8b62891dfae3a909023b4940ef010e07fadcc7b2f4059

  Score

  10^/10

  crypvaultponycollectiondiscoveryevasionransomwareratspywarestealersuricataupx

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

    ransomwarecrypvault

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE Fareit/Pony Downloader Checkin 2

    suricata: ET MALWARE Fareit/Pony Downloader Checkin 2

    suricata

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Modifies boot configuration data using bcdedit

    ransomwareevasion

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2