chimera

Sharing

Copy URL

Twitter E-mail

General

Target

Spyware.zip
Size

5.8MB
Sample

240303-bmnh4sbd58
MD5

02017dab46a248b6c69982c35afdfa21
SHA1

2958978be43fa2b1ab2c7076182282b15d17e2dc
SHA256

4d104f2a3cb1812c62f80e35f7287d91b68c0163377001779b10e88c974f038d
SHA512

53a2b54347ff53c33a88b677f2100bb7873cea268c34de93901ae7fb85666692f3736bef4ab4f57920aa1c7f54fd24184f8b1c79062ef2b7b65a7b0ad8453184
SSDEEP

98304:Lm8Ju50KRWWU2sWXO34FmXbLgyRjVhURALh5tgS+1jc9KjBzz4eOl6:a8qw4VCXgyBVhUL2isec6

Score

10^/10

Malware Config

Targets

- Target
  
  Spyware/AgentTesla.exe
- Size
  
  2.8MB
- MD5
  
  cce284cab135d9c0a2a64a7caec09107
- SHA1
  
  e4b8f4b6cab18b9748f83e9fffd275ef5276199e
- SHA256
  
  18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
- SHA512
  
  c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
- SSDEEP
  
  49152:4HEHIHP6z9goDKncJkYgCB7UODoQvjZMElnp0zGMPokHz5xZtYgxsdexHwNbUMb:ZdRFBmnQ7rjZMYSzGbkHzXxWeu6W
Score

4^/10
behavioral1 behavioral2
- Target
  
  MaterialDesignColors.dll
- Size
  
  292KB
- MD5
  
  39367419516f5f3df9ab1f9e5d0bbcd5
- SHA1
  
  762c9acdb09bfdf40e700645131999202abbc871
- SHA256
  
  976eea4567656d536a6344b3834f958f2b9e27401b94c643681770437d5abc68
- SHA512
  
  20ea8a64a14579ef5403eae8a6345afa0f9b12229fdb8bc869f7a8cdd4e785093b9f60f9445be738266a161d75f53a8b8e42a69b2f9b4cbf4684f5dbf5113ae9
- SSDEEP
  
  1536:2ZJb/nKyGMbYrE4jKg4J4A+0MDR1TU7fKoVxbYCCMIRFxcE5istk0uWE1Ci4oggj:2DDrYrE6oJU907fKoVxb+Y
Score

1^/10
behavioral3 behavioral4
- Target
  
  MaterialDesignThemes.Wpf.dll
- Size
  
  7.1MB
- MD5
  
  fbd761926164043ac71ee9b83ab37fd1
- SHA1
  
  38d44b0f40fa31124ba139adeb6f7adc7e53ee19
- SHA256
  
  013a42b8c6ffa29e2198eed4faf6168247b6550a4c4ed5d82023a1d82a08e27e
- SHA512
  
  c2a0be2d8b5b98dc19ad167aadc1e68905ad259e3b0e020cfb95a8a816964549c98a9c5bc44b8f4640147bfd8555e799216b8dba13bf0eefed9582782da552d2
- SSDEEP
  
  98304:OXJDntBksKY+ND3WyA4+TLVei10vMzPv8/4C8B5XVS49Xzy83IiEcJMrCR2fShTf:onJ45/9iD54+V11bFv4z
Score

1^/10
behavioral5 behavioral6
- Target
  
  Microsoft.Management.Infrastructure.dll
- Size
  
  36KB
- MD5
  
  3998804194188c25df75f505ac5c531a
- SHA1
  
  6b15b2d779e7c46e31fcc864fc1ef326fb3d2b50
- SHA256
  
  cbec9a910488cadbad860c850ceae521a2a346619c5a9da579e5051e270f114c
- SHA512
  
  d7cd7457c753190fd1ae5386a62dffbe5907ace02227ef873f4c890f4a4e987914fb94ab1ec8318f48a76fc55cfe8e7de83b75cfcbec0bb8ff0e18d2d956abdc
- SSDEEP
  
  768:droEzop6gC66+666M66666+vvvvvvvvvvvvvF66666K66n6666666666ZpkLEyXD:nNLEyXCL
Score

1^/10
behavioral7 behavioral8
- Target
  
  SharpSteam.dll
- Size
  
  5KB
- MD5
  
  aa6d1a798829536972ac5ba7d01d0c77
- SHA1
  
  8ec399faa7c428e9962f116b2baf6efca636e8c8
- SHA256
  
  74a89211b2a1bcf84796785fb93647ac6a1e5efbb2bbd14ddcee2e50c15153a4
- SHA512
  
  a937d3840bd6102c321ebaa06e01bda575d383aa152c1c0bfc8faa870109a7672a9957c50a6a259ecf481b47450df1814d7d152334e396780fe15760281be870
- SSDEEP
  
  48:6O/89d6LfKuNpIoijbm2EjW6NINM/OMeZSCo1bumqMzxSu4tM/klXWRO6uFF:0uNpI7j6jWyPgysCcl8
Score

1^/10
behavioral10 behavioral9
- Target
  
  System.Management.Automation.dll
- Size
  
  352KB
- MD5
  
  835e9ede7e7c774e7a2d56cfdf6e9b17
- SHA1
  
  a43ed886b68c6ee913da85df9ad2064f1d81c470
- SHA256
  
  c3a5868584a777422cebcf31d6718fd2b26d5e2314d3b5ba6d8e47aa40faba0c
- SHA512
  
  74284fd44497beb74326d11a0f63d96aff20aa44cfa8385f6b63b7e6743403c36e2ea4fb0d991767117a97d320e04d2b21f0a4730916244af4ffdaf51e834a26
- SSDEEP
  
  3072:d/SDqTIE+QQVVBCTmAG17iT+Lt8D/1L2iLZdrs81sDotEKjRmarzRm+5gSBZqoEJ:d/PXS6WK2iLZdgotEKj9rzRmkgSBAot
Score

1^/10
behavioral11 behavioral12
- Target
  
  UWPHook.exe
- Size
  
  831KB
- MD5
  
  9aa4929291eff01d727b9fb88bba080c
- SHA1
  
  820321cd5e8fbf81db43f024e93ee190811b8906
- SHA256
  
  d55baebe14b8e68afd44227d3ae7307fa07dbbdd91331b892edde93fd027ca6e
- SHA512
  
  b52e18c3c8f4f30479c974e4c19e00cacdb850df6e631aeed553cbfee77703e664136385ff7a6b38c90ddf18e0c29a08c51264ad7696c5d8278b8876d3b7fe1f
- SSDEEP
  
  12288:O4IH5S68xqbLLjo9LfPw3ytl8dSkc6ZubYpE0EjcUBS4BJ:O35R8xf143yte6epEdjcUBzBJ
Score

1^/10
behavioral13 behavioral14
- Target
  
  VDFParser.dll
- Size
  
  15KB
- MD5
  
  17351a51f020d8352c3d8144bf89ab40
- SHA1
  
  80a46c4dd6be71f789183daaa6677629654ebe68
- SHA256
  
  503804161cd8ff82756292f6d4d24107e6c8ac4cf43df89378f7b5d3782cc2ad
- SHA512
  
  ab5b16f296d787a72fed58bcb00e1295a543d4fb5eff00cb82c065fe336d18a572884003e2b519f5d4880546ce592aa9d903ad096a7d78dedf5f72b76034c983
- SSDEEP
  
  384:GEI1akrMmNix7WLptEEEEEEEEEEEEEEEEEEEDl/hJOhE75MuODENhtN:lyMvWLptEEEEEEEEEEEEEEEEEEE5JwaJ
Score

1^/10
behavioral15 behavioral16
- Target
  
  Spyware/HawkEye.exe
- Size
  
  232KB
- MD5
  
  60fabd1a2509b59831876d5e2aa71a6b
- SHA1
  
  8b91f3c4f721cb04cc4974fc91056f397ae78faa
- SHA256
  
  1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
- SHA512
  
  3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
- SSDEEP
  
  3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi
Score

10^/10

chimera ransomware spyware stealer
- Chimera
  Ransomware which infects local and network files, often distributed via Dropbox links.
  ransomware chimera
- Chimera Ransomware Loader DLL
  Drops/unpacks executable file which resembles Chimera's Loader.dll.
  ransomware
- Renames multiple (2001) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17 behavioral18
- Target
  
  Spyware/Kakwa.doc
- Size
  
  72KB
- MD5
  
  9a039302b3f3109607dfa7c12cfbd886
- SHA1
  
  9056556d0d63734e0c851ab549b05ccd28cf4abf
- SHA256
  
  31ca294ddd253e4258a948cf4d4b7aaaa3e0aa1457556e0e62ee53c22b4eb6f0
- SHA512
  
  8a174536b266b017962406076fe54ec3f4b625517b522875f233cd0415d5d7642a1f8ff980fb42d14dab1f623e3f91a735adefa2b9276d1622fa48e76952d83c
- SSDEEP
  
  768:jpXWjJYl3KBMOOqIcWS6bMr3kQc5Ch6KEBTOfz4:jFqOdLS6D5Ch6KEMfz
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral19 behavioral20
- Target
  
  Spyware/butterflyondesktop.exe
- Size
  
  2.8MB
- MD5
  
  1535aa21451192109b86be9bcc7c4345
- SHA1
  
  1af211c686c4d4bf0239ed6620358a19691cf88c
- SHA256
  
  4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
- SHA512
  
  1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
- SSDEEP
  
  49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral21 behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Chimera Ransomware Loader DLL

Renames multiple (2001) files with added filename extension

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Process spawned unexpected child process

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22