General

  • Target

    AnyDeskAPP.msi

  • Size

    1.4MB

  • Sample

    230118-29ahwacd54

  • MD5

    4e4a4a4eb6a77d72af83b2bbd0698593

  • SHA1

    dbaeba54fcae50acc36565d0f61ad73df6df7d45

  • SHA256

    58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a

  • SHA512

    69785dadc878bd1178672a8f08590eeccd268b4fd2107ae3909e59fba03e7cfa425f690580dfcfa1f5ec3e494e5ef0b7232a16a26c8fbf734ef3887da4044ccb

  • SSDEEP

    24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9

Malware Config

Targets

    • Target

      AnyDeskAPP.msi

    • Size

      1.4MB

    • MD5

      4e4a4a4eb6a77d72af83b2bbd0698593

    • SHA1

      dbaeba54fcae50acc36565d0f61ad73df6df7d45

    • SHA256

      58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a

    • SHA512

      69785dadc878bd1178672a8f08590eeccd268b4fd2107ae3909e59fba03e7cfa425f690580dfcfa1f5ec3e494e5ef0b7232a16a26c8fbf734ef3887da4044ccb

    • SSDEEP

      24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9

    • Lampion

      Lampion is a banking trojan, targeting Portuguese speaking countries.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks