chimera

General

Target

.
Size

146KB
Sample

240406-rfxq7scf56
MD5

96f59b829d3dfa35ec20d89f67f72bfe
SHA1

7813594852dd3ad84368d1d37c77f4a2889a6bb4
SHA256

dd509149f220ee949306868d26f17b3ae99b68e633fd9318fffc07d394fe8a14
SHA512

953d4801ff7123c6ea4083a77882939abe342adc072a7800067c8edae977b2f9dce5f85c7132604c5197f760a7aef98503fd6ba388a1d0faa47cf646a459b38c
SSDEEP

1536:oNkud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DhHhqiS:CkPLFoVsllXmxPHhqiS

Score

10^/10

Malware Config

Targets

- Target
  
  .
- Size
  
  146KB
- MD5
  
  96f59b829d3dfa35ec20d89f67f72bfe
- SHA1
  
  7813594852dd3ad84368d1d37c77f4a2889a6bb4
- SHA256
  
  dd509149f220ee949306868d26f17b3ae99b68e633fd9318fffc07d394fe8a14
- SHA512
  
  953d4801ff7123c6ea4083a77882939abe342adc072a7800067c8edae977b2f9dce5f85c7132604c5197f760a7aef98503fd6ba388a1d0faa47cf646a459b38c
- SSDEEP
  
  1536:oNkud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DhHhqiS:CkPLFoVsllXmxPHhqiS
Score

10^/10

chimera warzonerat bootkit discovery evasion infostealer macro macro_on_action persistence ransomware rat spyware stealer trojan
- Chimera
  Ransomware which infects local and network files, often distributed via Dropbox links.
  ransomware chimera
- Suspicious use of NtCreateProcessExOtherParentProcess
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Renames multiple (3344) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Uses Session Manager for persistence
  Creates Session Manager registry key to run executable early in system boot.
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1