Overview

overview

10

Static

static

1

casarowtt

windows7-x64

1

casarowtt

windows10-2004-x64

1

custsat.dll

windows7-x64

1

custsat.dll

windows10-2004-x64

1

dsssdvreeed55

windows7-x64

1

dsssdvreeed55

windows10-2004-x64

1

msvcr80.dll

windows7-x64

9

msvcr80.dll

windows10-2004-x64

9

windows.exe

windows7-x64

10

windows.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ww.zip

  • Size

    64.3MB

  • Sample

    230314-qhxcsahd9w

  • MD5

    ea84c24f3b91b5ee1e9f2bda0ff241e5

  • SHA1

    199ee70db0e7c2ffe7c86c44f4620bb852ead752

  • SHA256

    e24579a71df587a0eb35b584ce823fe05ba9dc07b1239834e0d8fc065513e645

  • SHA512

    377fccc7a4ed5bfe1bef853ea53d7a71bd7190edeeb230169276f499331efeb54de30a439005f8d413efc92a91095dbe0d2b84885d1af54c58427f9cf1d92ed2

  • SSDEEP

    1572864:ZCGV5760Cpr/o+U2CDL+e0MPAUee0L8fu1xMECG7mng80ulDdT7ax/BI6DlSJAMu:lV5DCpr/o12C/XPAUe94u1aECGqngARy

Score
10/10
lampionbankerevasionpersistencetrojan

Malware Config

Targets

    • Target

      casarowtt

    • Size

      89.4MB

    • MD5

      4a0cb5b23a8525f8f528b6886adf2a99

    • SHA1

      bd9e8a75e7dc107ab616b6096c825b31fe277a54

    • SHA256

      586285d193ada7a57f679255585084dd3f216fd16409c68c1d88a7e2e8af02c7

    • SHA512

      924186c01eaa7ed20c247de8fa778a45e80ebd92757f4de6b32802512763769f82ae42161f13013c033d279d040952aa6d840f03c610e01332f4ee00c246c073

    • SSDEEP

      1572864:z6IND8VgMOBpUQezl1W+VeiXanwcG1re2fazNEwEtA9l5v:uIis3v

    Score
    1/10
    behavioral1behavioral2

    • Target

      custsat.dll

    • Size

      33KB

    • MD5

      1ff80ebe5082a13d02253b415aa26f60

    • SHA1

      7da7551ec7f3f1e606edf9313595e4ebe45ac8d1

    • SHA256

      e0088b6361c7ea8e611ba32542beff7ac12955991c82a5fe9ef5d9a97d6ca14f

    • SHA512

      8c33e9427227835229d27f59206e55cd98c372e6a20981c6b0518a5f9b81c127b0f40276c21adac06a433c1947ab56f7f2166135d184dec1162b5071e3037e90

    • SSDEEP

      768:8UEt7dso9+bc7m+S45ii3iiHUM6cST2WENZ3gUpSS:LEZyoE/AtXUbcSSWENdgUV

    Score
    1/10
    behavioral3behavioral4

    • Target

      dsssdvreeed55

    • Size

      89.4MB

    • MD5

      349469b29044b15479728db1648caa73

    • SHA1

      a627cac57e680402f09a4f90d93aeaffb513291e

    • SHA256

      93955773f05cac6f5f449326b3b0bde52d0f9e7ed1b8aa6aa1c7baaf3faabe18

    • SHA512

      e1f800a6844260a0b1e8c1a9398e5262b675f0bbe70aa0ac05a0d80c7a3f5a9ff1007a64f6811a64d693dae2c3e4d90af75acc3e45003a6c7b8691721b16cdb3

    • SSDEEP

      786432:zUNDIyixRr1h1KZAN1xwVF6zDYCBg0LL1dtIURNf5:6DtKt1/KeXxMCBhLxdtIUH5

    Score
    1/10
    behavioral5behavioral6

    • Target

      msvcr80.dll

    • Size

      3.6MB

    • MD5

      201aab8f194ab13b82ca039a6a9e4a8e

    • SHA1

      27275cdbf3b4e89430e2faa46ec40fd9790172e0

    • SHA256

      de0c0334bd84c0b0f3d52b0181842263e46e4e7a3e3b5c3939cfc541c11a81e1

    • SHA512

      d9c23e3eca7c4937239ec942d45be7a59938de4fed562c7d6c1d1c18746c96c90b099e7b58da876aaef88f2fd2197890a1fd91b6e57b97652767cbd066b90c22

    • SSDEEP

      98304:p7N760QYYqZMfCG4KRZv9QdqXzKm0s4vB7v:ptmiMfb4KpQdmzIvB

    Score
    9/10
    evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      windows.exe

    • Size

      213KB

    • MD5

      7fb1c5dfc2605843cec69a6fc4e96576

    • SHA1

      b5e591d23a3798b89648033760d3710a403b32be

    • SHA256

      330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5

    • SHA512

      0c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7

    • SSDEEP

      6144:QPF/ZUebo8fKrnfc6cU2btV0h7FusG/oImYM:IF/ZzRoImYM

    Score
    10/10
    lampionbankerevasionpersistencetrojan

    • Lampion

      Lampion is a banking trojan, targeting Portuguese speaking countries.

      trojanbankerlampion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks