Overview

overview

10

Static

static

f90ff08974...2c.vbs

windows7_x64

10

f90ff08974...2c.vbs

windows10_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs

  • Size

    12KB

  • MD5

    fb20b1b1d48d96bacde2fd6caaeb42e7

  • SHA1

    49d5aab4e2611b8ba10e11b7de5e9eeb3d56e35a

  • SHA256

    f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c

  • SHA512

    dfbc923b992f059546c35e8adeb97594de0fd97640dbd21f291bb727371239d2c9a9028c740ebb3a8467de99e3399524b2bd5b09bc1d5872f4b9db80134d4e40

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\twaiqxhrite.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad0855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\49291722238063\bydgmecqtjxnooign47586828112601.exe
    MD5

    ea1690e3f85b74ff1945f8e8d3940980

    SHA1

    69b717da26aa78f94839b0adf37158585b071d65

    SHA256

    e9db57709d31e10e2b9cf2c1bea24ab86dd9f4dd16425c7700916d01570a0996

    SHA512

    3ba74c42ac8403e975ec1afb0752552318ecf17f76fc05ff651da9f6a4bdf7637e3eb7e6895ada16fea3cf384174b870b9fac8da47b5fb2b5123f1660967c2d6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\twaiqxhrite.vbs
    MD5

    b23b87d7263da42fbfd7be7e1e92a0aa

    SHA1

    b2ab691a9be8e88250b7a18d5fc98086430076f8

    SHA256

    765e305be8ce5bb289cc901ff776fe4aea30a4a81e2abb2192b7c9b01c8fc34c

    SHA512

    1760eee2c66a9b3ea7263ec99513953a76c946f47a8afffad1240d210448cf590cf942429050e2019f298f1ed94cb31ec24cc26c0614aff0b2139287cdf9060b

    Download Submit