Extracted

• • Target

    Halkbank,pdf.exe

  • Size

    791KB

  • MD5

    3e1e8f6ddfe357c6ae9d073f79138291

  • SHA1

    f232e9369b47d1b2a107b5b2b6c08a593b9f3ac6

  • SHA256

    63c825619e3cff8843b7ef1d81b493fa1addc20c548ac98010acc6afd254351a

  • SHA512

    5c24be4471bb05a2e9a700a705b6a94075610f339ee525f4c9b18b3f9a1ecff9c7dcd06c8021aae13b3ebb666ef3cd8378e28a34a734e6437e75655b0ace6a57

  • SSDEEP

    12288:KK2mhAMJ/cPlcWOQlaVxmL9PdLkVxEKvz9bM8h7UH16kyc3HS4Mr2TWA/pw8XfU7:72O/GlcWOkWmL7du7AMkycLZpNpixjX9

  Score

  10^/10

  ponycollectiondiscoverypersistenceratspywarestealer

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2