guerrilla | baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc | Triage

Submit
Reports

Overview

overview

Static

static

1

MuMuInstal...87.exe

windows7-x64

MuMuInstal...87.exe

windows10-2004-x64

6

Sharing

General

Target

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Size

5.3MB
Sample

240331-rxyptseb35
MD5

86e0f88dcc69e631df6cfd28bb5babb1
SHA1

e7b3552cf10983c97bf3381fe66053f8f5a1ea9c
SHA256

baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
SHA512

c2e0b76ea267cbe01019cd826c90ffcf84e88da1f16c83ae36cebe543cf75316b5a375a3f053165d4e8fe0b6d65a70558cb08693473d5710dc9de4a44fef7843
SSDEEP

98304:cevOCyjertpQj68ndGaX6tJJQv2FKA75OpVclc02vDRZTEW:pvOCyj2tpYo3u0jc02vVZoW

Score

10^/10

guerrilla irata mandrake infostealer persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe

Resource

win7-20240220-en

guerrilla irata mandrake infostealer persistence rat trojan

windows7-x64

26 signatures

150 seconds

Behavioral task

behavioral2

Sample

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe

Resource

win10v2004-20240226-en

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
- Size
  
  5.3MB
- MD5
  
  86e0f88dcc69e631df6cfd28bb5babb1
- SHA1
  
  e7b3552cf10983c97bf3381fe66053f8f5a1ea9c
- SHA256
  
  baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
- SHA512
  
  c2e0b76ea267cbe01019cd826c90ffcf84e88da1f16c83ae36cebe543cf75316b5a375a3f053165d4e8fe0b6d65a70558cb08693473d5710dc9de4a44fef7843
- SSDEEP
  
  98304:cevOCyjertpQj68ndGaX6tJJQv2FKA75OpVclc02vDRZTEW:pvOCyj2tpYo3u0jc02vVZoW
Score

10^/10

guerrilla irata mandrake infostealer persistence rat trojan
- Guerrilla
  Guerrilla is an Android malware used by the Lemon Group threat actor.
  trojan infostealer rat guerrilla
- Guerrilla payload
- Irata
  Irata is an Iranian remote access trojan Android malware first seen in August 2022.
  trojan infostealer rat irata
- Irata payload
- Mandrake
  Mandrake is an Android spyware first seen in 2020.
  trojan infostealer rat mandrake
- Mandrake payload
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

guerrillairatamandrakeinfostealerpersistencerattrojan

behavioral2

© 2018-2024

Terms | Privacy