Overview

overview

10

Static

static

418dbcf5f8...47.vbs

windows7_x64

10

418dbcf5f8...47.vbs

windows10_x64

10

Analysis

  • max time kernel
    95s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047.vbs

  • Size

    13KB

  • MD5

    3350e74a4cfa020f9b256194eae25c12

  • SHA1

    7f5960ff9feff30d2f4a4c1598dd22632ceea0cb

  • SHA256

    418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047

  • SHA512

    0e880c29ebfd77bfd17713b1fef3f8d6177c6d34d456bf74150d48c6ce9b608fb654410fb724f6e04343abe5716b839c693bca66feb904b49569a11cf696b7fb

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\qoafmsypcua.vbs
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\87023991525173\nbdatjlxaaiasgfvy81415655016898.exe
    MD5

    5f37f928c444b536e3005b156def32e2

    SHA1

    681b66dc5e9cfe6e364759defa33a2e6b31d6c8f

    SHA256

    479f63cadd909231c6bfbda33f5832b04feb9cf1adc0ef9a267c63a6999b5d1d

    SHA512

    e9d8179cd6feba0ebb34399c8e57a67f532dba1d485f4c1e526a691709f6f14ef5453141680c0bf8c6294e5ec2ac963b118b09aaa4286acf4f310737cae32f15

    Download Submit

  • C:\Users\Admin\AppData\Roaming\qoafmsypcua.vbs
    MD5

    e58b6cd2e3e2e7455ec92850e744a60c

    SHA1

    df1e0a91969a647395a87b278a0665ab5f10ca1b

    SHA256

    15c15c7f2590fbf72fff8cf8ef5783247271acf26e5f7e60f70dce5d78f4d9b9

    SHA512

    b0aa32c80d7cabe8a66675b21dcc10446409fb6835536a9f63c80cfce925ed362a8c2d90cee8acf4200006bd00f914bcd38662144bf4021fa2c66e6f571ba5ed

    Download Submit