guerrilla | 86e78c5424bca2e9f9b84c50e251118573dc22bcee6ff908362b6b0e37205bdc | Triage

Submit
Reports

Overview

overview

Static

static

1

LDPlayer9_...ld.exe

windows10-2004-x64

Sharing

General

Target

LDPlayer9_ru_25567197_ld.exe
Size

6.2MB
Sample

240402-pxj6bsad83
MD5

e0e91d2d5ecc36bde3a3ba87342c4442
SHA1

47dbd2d9ad2ac3c830339bada9f5daa1c7c993a2
SHA256

86e78c5424bca2e9f9b84c50e251118573dc22bcee6ff908362b6b0e37205bdc
SHA512

b1e2e7fb492158f5fa2ece54bd5a805a5dd97b1eca8d0da3d1ec2bfe8c55220acacf4627384e62745d440b263e1b416177094e33729b1bba97d414ebb575eb86
SSDEEP

98304:TaMOOH01Z71vVOO+svd2YJVr5cOlprwwEGK579UbrGi:TaMOA01uCtf5copnEGKF97

Score

10^/10

guerrilla discovery exploit infostealer persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

LDPlayer9_ru_25567197_ld.exe

Resource

win10v2004-20240226-en

guerrilla discovery exploit infostealer persistence rat spyware stealer trojan

windows10-2004-x64

42 signatures

1200 seconds

Malware Config

Targets

- Target
  
  LDPlayer9_ru_25567197_ld.exe
- Size
  
  6.2MB
- MD5
  
  e0e91d2d5ecc36bde3a3ba87342c4442
- SHA1
  
  47dbd2d9ad2ac3c830339bada9f5daa1c7c993a2
- SHA256
  
  86e78c5424bca2e9f9b84c50e251118573dc22bcee6ff908362b6b0e37205bdc
- SHA512
  
  b1e2e7fb492158f5fa2ece54bd5a805a5dd97b1eca8d0da3d1ec2bfe8c55220acacf4627384e62745d440b263e1b416177094e33729b1bba97d414ebb575eb86
- SSDEEP
  
  98304:TaMOOH01Z71vVOO+svd2YJVr5cOlprwwEGK579UbrGi:TaMOA01uCtf5copnEGKF97
Score

10^/10

guerrilla discovery exploit infostealer persistence rat spyware stealer trojan
- Guerrilla
  Guerrilla is an Android malware used by the Lemon Group threat actor.
  trojan infostealer rat guerrilla
- Guerrilla payload
- Creates new service(s)
  persistence
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Possible privilege escalation attempt
  exploit
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Install Root Certificate

File and Directory Permissions Modification

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

guerrilladiscoveryexploitinfostealerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy