Overview

overview

10

Static

static

1

AnyDesk.exe

windows7-x64

9

AnyDesk.exe

windows10-2004-x64

10

tmp/ChromeSetup.exe

windows7-x64

8

tmp/ChromeSetup.exe

windows10-2004-x64

8

tmp/Spotif...6).exe

windows7-x64

8

tmp/Spotif...6).exe

windows10-2004-x64

10

tmp/filmor...83.exe

windows7-x64

7

tmp/filmor...83.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MHFNV-AnyDesk.zip

  • Size

    7.1MB

  • Sample

    230315-kbbjvacc78

  • MD5

    d823fc4cb1ca69045f306ba76720cc25

  • SHA1

    e66efcc2ff0a5b729155adac25d36646497694b7

  • SHA256

    fbcc321f10e8ed9fbda3e9d9ce6cc03ad1fa3c83578a2b22ec7f6fd853412750

  • SHA512

    37ec7433645bfd88260ccb332a73dea6aedd0f1465bca322e4a90fede46468213186a227437ce075142e809d2b40d01267a546af5f2623ad185f3ca31f546f0c

  • SSDEEP

    196608:IVvQZhCFrn0TKXb6Rxn9M8KMyc4k2cvBQxOKP+bX:XSrnCeY9Mdcz2ABQQKGbX

Score
10/10
lampionlummabankerdiscoveryevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      AnyDesk.exe

    • Size

      5.5MB

    • MD5

      33614c059849aaeacaa68422b11a9795

    • SHA1

      baf66bc7a279fcde9fa90708c153e06b89bb60d9

    • SHA256

      25884495d9c27c8b120bfab40bd28b7f5255b4916c54c7fb74a90dd8000bf44e

    • SHA512

      c211cfee30e6f3336a0d4aa8e44d91be4fb0399c2dc7d8a01b37d4264b44865c51037f5b6470f3aecd53cb551951132d80fbdba3b18fe0787cacd6166a66e5f6

    • SSDEEP

      98304:cKYGKdACTgvV6qPvZpgvXM/N3qZBO0cY2YPGvhP0JGom5:cp86qPvZ6v6NH0l7PXm5

    Score
    10/10
    evasiontrojanlampionbankerpersistence

    • Lampion

      Lampion is a banking trojan, targeting Portuguese speaking countries.

      trojanbankerlampion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      tmp/ChromeSetup.exe

    • Size

      1.4MB

    • MD5

      38e7c79cf8fd1dc35afaa6706819d628

    • SHA1

      257d60060f742c943e9981a30be6edc94262d844

    • SHA256

      5ff2518d88344a100675488d86596aa57aea55df103d5b586a2b572baab6bff1

    • SHA512

      acb7ff1fa0937b6be85cf83c459d17d750f546bf694be21f5704283fad655b9bc7406656415eff4b7db91c4887308674a59f21a84926925991347e955540cfac

    • SSDEEP

      24576:Jw8KjKjGFygcc23L1/NVOmOSGb6E3ecS4fzrjxJh9UZXlpbPvC7xtYUrEmFlo+LT:PKjKWQc2b1FVgbjrjxPe1pbPSQm1FloS

    Score
    8/10
    discoverypersistencespywarestealer

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      tmp/SpotifySetup (6).exe

    • Size

      901KB

    • MD5

      6b4411127459dc891fc2fdecbf02ad23

    • SHA1

      b3904dd4f88ec6fce4f806eef1acad40c75e68b8

    • SHA256

      c85f5e46a80bf8658245f7409318a3e1a6894c5de5cfe321c0b1edb13a5e81e4

    • SHA512

      b075b9a2d6b6573627afcd4112da3cb081204169e59172f16de8c8ac7c7ad3a1ae809e9252c58094dbfdb16b9b48c1b032b18397acfc372fa0487271feee77c0

    • SSDEEP

      24576:bL3ZLvFFzsZ1nMdwOySKcgwkPIBu9mI+kVluU:bL3lsfMdwOySKkkPIY9z+kXj

    Score
    10/10
    lummadiscoverypersistencestealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

    • Target

      tmp/filmora_setup_full1083.exe

    • Size

      1.7MB

    • MD5

      5b293ce0c49329de880b71bb704e75e3

    • SHA1

      c82db99df1f3e238fd1f489c8648a9afe82dcf4f

    • SHA256

      ef44c8a411347ab85152769cd99a6ad5fe1d20005ea857f920eb2bb60c705ca0

    • SHA512

      5d5d50d77b1e242a048ed7f78d82ad7c1fea78b6759afeda54764f92a77037b440c1f04d0a433a5f4e7760b6b165f09509e071793dfc93cd1972f49a04611743

    • SSDEEP

      49152:nCuREYPAwUb+zlXxbeOzsByErzt/QH3TOu5+NSae6G4n:WwxbfzsTrzt/gwNu+

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

5
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

8
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

11
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

12
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks