lampion | 1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af | Triage

Submit
Reports

Overview

overview

Static

static

1d0ec3dc89...af.exe

windows7_x64

1d0ec3dc89...af.exe

windows10-2004_x64

Sharing

General

Target

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af
Size

15.8MB
Sample

220320-fhvh3sheal
MD5

f07e973e667b4dde07418f5f99357e92
SHA1

9c87c0d4dd7bb0fecc4c9498216ced51f66534b4
SHA256

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af
SHA512

dd0fb71bc812ab1950b670a5c08198901d59449da8110de03d396d9093a3772a3335c7b250a677177f60b57e850400180539a1107fcd8afcf892fcdca0909af2

Score

10^/10

lampion banker evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe

Resource

win7-20220311-en

lampion banker evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af.exe

Resource

win10v2004-20220310-en

lampion banker evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af
- Size
  
  15.8MB
- MD5
  
  f07e973e667b4dde07418f5f99357e92
- SHA1
  
  9c87c0d4dd7bb0fecc4c9498216ced51f66534b4
- SHA256
  
  1d0ec3dc89d3abb1d7f692c925fabef2e69cc25e5cd133f3753a131e4178a1af
- SHA512
  
  dd0fb71bc812ab1950b670a5c08198901d59449da8110de03d396d9093a3772a3335c7b250a677177f60b57e850400180539a1107fcd8afcf892fcdca0909af2
Score

10^/10

lampion banker evasion persistence trojan
- Lampion
  Lampion is a banking trojan, targeting Portuguese speaking countries.
  trojan banker lampion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lampionbankerevasionpersistencetrojan

behavioral2

lampionbankerevasionpersistencetrojan

© 2018-2024

Terms | Privacy