General
-
Target
3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e.exe
-
Size
319KB
-
Sample
221223-rvqlfabg3x
-
MD5
37db790ae1c5c9d514f0b21b2ee41eba
-
SHA1
b82c08f43f11430773d313ee362ca0726bbafa24
-
SHA256
3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e
-
SHA512
79c8cfad6f27739cd567d2f49035ab37081d38677e9b0ac28942d4221a4327c9f44fc3deb31038543710d533369681c8a82561b97008e33dc6e3d5e5f2937c0f
-
SSDEEP
6144:fMjokASLOMN9/wJP96/0ma0ZlDFWs9zAnmeDWB2hDukzinSiikKWfxCdvHnQSd2b:nkAqOi94x968mR/DDzBO82hpinSiikxp
Malware Config
Extracted
pony
http://gruzdom.ru/api/
Targets
-
-
Target
3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e.exe
-
Size
319KB
-
MD5
37db790ae1c5c9d514f0b21b2ee41eba
-
SHA1
b82c08f43f11430773d313ee362ca0726bbafa24
-
SHA256
3f9bfbb9ac8cde1e7038b66d961dd149be2f86348c0a30d4455cffed6dc1614e
-
SHA512
79c8cfad6f27739cd567d2f49035ab37081d38677e9b0ac28942d4221a4327c9f44fc3deb31038543710d533369681c8a82561b97008e33dc6e3d5e5f2937c0f
-
SSDEEP
6144:fMjokASLOMN9/wJP96/0ma0ZlDFWs9zAnmeDWB2hDukzinSiikKWfxCdvHnQSd2b:nkAqOi94x968mR/DDzBO82hpinSiikxp
Score10/10-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-