88418205ad303c208f27e1efeef81032ce7373d0d005cdbe4d890d7351b5674c

Sharing

Copy URL

Twitter E-mail

General

Target

hacked client (rats) LMAO.rar
Size

12.9MB
Sample

240501-a7ksaadf64
MD5

0775b6806b6681187328c016517b1700
SHA1

a5a01aa5a920d24074d9ef9c7855257f83697744
SHA256

88418205ad303c208f27e1efeef81032ce7373d0d005cdbe4d890d7351b5674c
SHA512

002a68bf1f4f6e478091161f72e3cbf03f42140f2fea1601e3c7f2ebc058450792f83bf1c1a1d622d5cd00bd6e59dae31371648365e360496bdf4d271eee7d2f
SSDEEP

393216:fdC/u8iLsHTGKrZE8gcOHDgH4JVkn5nefJ:fdCGiTHZE5cEEHgVkn5efJ

Score

9^/10

Malware Config

Targets

- Target
  
  hacked client (rats) LMAO/Hermotet.exe
- Size
  
  1.9MB
- MD5
  
  47c6e34bf60e82c3a96119c1cf527c44
- SHA1
  
  09b8cbbe0ef5cf3c1a09a27ce753ab4b004a724e
- SHA256
  
  f65307eb8257dec735953bfba5c714c25d7ee56c059f5745589da5eea0ebfc34
- SHA512
  
  5141a26f72b217cae2af194659b8dfb8bad6912a7ae41cd3dfb542965f250f77e384de46829aa83c1611175febb9a2f106913d84c3df798bbb46a418b263cba6
- SSDEEP
  
  49152:WfAYYQ5jY24dwTaglicPKZqaoCO8Op4lLTfA:4Ai5k24dJgHCSwLT
Score

7^/10
- Loads dropped DLL
behavioral1
- Target
  
  hacked client (rats) LMAO/Itami.exe
- Size
  
  430KB
- MD5
  
  ad7057a3d1472fa03f068feb89eb81e0
- SHA1
  
  3c460a273a32961823c64e3b2c471b2eb48ed0a8
- SHA256
  
  348d5863c8a01db43945be3738198d9dc4d64f27c9c4282d59e1bc01af11dfab
- SHA512
  
  6258574f4174fe1bda67d92daf4e38f4568df9b1e20fdf453daed0de610a067048716ffe08ffb566ec739c5603c7edcd0b04a48cc1131412e2b3a51080c0be43
- SSDEEP
  
  12288:Pil9fU2f6xmRYNS35PByptXLhu7YR44Lnt4+:PqFU2SxBY35PByptMYRDnt4
Score

1^/10
behavioral2
- Target
  
  hacked client (rats) LMAO/Lithium-Lite.exe
- Size
  
  890KB
- MD5
  
  83332fe00134c250f148e0a94678505d
- SHA1
  
  1addaf46f648f405597e3a529498e62c468c481e
- SHA256
  
  d8911b82b4afe86b6e78d7b52a5ee77f5f879bc98d5ada1d4acfdb4286955791
- SHA512
  
  e7896ce67d0e027fece52aa03da5e43cd9d76e109695619e1be97c0bda4090de952c4be1fc1565c73e2d55d818b7faafbd7dc8d470def8774dc42be5a97ae8e7
- SSDEEP
  
  12288:dlojVjiZbVxU8/UvSAYiSRy7pA2PicwVgMBJzxHRWDonobOnS8E9Q:/OGUgsSAYippAmifPeefnSb9
Score

1^/10
behavioral3
- Target
  
  hacked client (rats) LMAO/axentav2.exe
- Size
  
  786KB
- MD5
  
  89ec845ca6b4ace15355ad206ebadc11
- SHA1
  
  8415a77f1cece08a113fddbe9c781fcffaf4dbd9
- SHA256
  
  cedab271e30415766e897ef6b1fce37116bfc73c6bf71bfa9f3343e261fa98d7
- SHA512
  
  edd655ee1b34dc62f00db12703d6ee5dc3e2ea5ea89ddfa84d856717205f8a1a1a8b66ee6a5e7995ae0c945530eb523c180c73871a4fcfa886c4d99f06bbf287
- SSDEEP
  
  12288:YMQuhuKcLL3/NYJP08rhgqhPEgYBsY8bOw4R1JcgKpfhJAs:YFoubLLPN6P0uhLhxMsYKYJcZAs
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral4
- Target
  
  hacked client (rats) LMAO/ectasy.exe
- Size
  
  66KB
- MD5
  
  de3594a88b85041ec31efcf0735b1906
- SHA1
  
  a8751a4a7fdf31dc82162a35e906644652d37c4a
- SHA256
  
  7bef6dcd145cb672fded1ae019319cc13441552de9d48e35975d771bbd531124
- SHA512
  
  1b41d72aa942aa607ec04eca67f56f76f9a65407c258f66d2dd4fb812bc5d1211c5578c251360088a266ff4b62aa7aae3c394d48fd60a5e57f795e6913ec292b
- SSDEEP
  
  1536:SQjspDSF7IyR5ukwL3qJgkkkSkkkkkkekNkkkkkkkkkLc/cicWbjS1jDEOKcl:jjMS/5G+gkkkSkkkkkkekNkkkkkkkkk3
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral5
- Target
  
  hacked client (rats) LMAO/epic.exe
- Size
  
  1.1MB
- MD5
  
  0cf061ff391f467a683d11884d2ad520
- SHA1
  
  ed6212e71335f3707303da91c84993c149520d01
- SHA256
  
  3ac8a1a80b1aea1542a42ac25b0b4d730cc9f3cebd9b2661686177a083e98c03
- SHA512
  
  022e77fb62f3b5911172ef0b378b6f625fb940f475c6069c5146d179c0d426ba99a80f10fada8e5d1bdbd00c3ff3332dbf11f81469a75db29e79e71d0fe616d3
- SSDEEP
  
  24576:Yx4er0brd7gWwDj8pL3KXypmEgMjgWBzUnD4:eArd7gNSTBYWGnD4
Score

1^/10
behavioral6
- Target
  
  hacked client (rats) LMAO/icetea.exe
- Size
  
  629KB
- MD5
  
  ec75749551b255093e77a5d6c1d72e1b
- SHA1
  
  fac81f6c1f1bd668b66f2d1d84c6fe2a4e6b0c98
- SHA256
  
  1a9f99be6ea38d09047da97d68350d5c04f59cd40269569271ff3231fbabb32d
- SHA512
  
  2db7db3fe569d70e476d05f8b4e88e2f5d22ecccce12dca745208001078d0cd9c7f00711b32c2599d2b594f98a6a6ff20ef9c133d3c133654782788f8e5198e8
- SSDEEP
  
  12288:sLzn/Pp+rhlRXD4OAo+e9ipG+60o18wnqQ:sHn/PpwhLT4OAFyiEd18wnq
Score

1^/10
behavioral7
- Target
  
  hacked client (rats) LMAO/koid.exe
- Size
  
  1.7MB
- MD5
  
  937bd53a5f505b8e9b00416590ad8d92
- SHA1
  
  5abece11f9d282ec009bf441f132676344f1ede2
- SHA256
  
  662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36
- SHA512
  
  2027fe14eff8cc0edd67be7f159e0710d79376aef11a70d4c0ad94d501667fd178780fb3a8f0c4481d2da32a3f6fd698e45cef297aee628cda1ae164e0434dd5
- SSDEEP
  
  49152:MXi87ZaoNcK9mVrSPYO1M+BrgdhwmzJnU:yvycBr
Score

1^/10
behavioral8
- Target
  
  hacked client (rats) LMAO/krypton.exe
- Size
  
  3.8MB
- MD5
  
  a7beb58e9507171e44455f1f823286ab
- SHA1
  
  3689b44d42583008d5d158968bf7e81c3c0ccf3c
- SHA256
  
  e781c6915a983883f16ed22a1236e9bc93af081fb5cd3b8ec4c554ceb18183db
- SHA512
  
  35b7714979773d60296d81f57c4805cc0160db8b881a27ef4370718049949940f9d5734566b6398d5ab7b32800bf50e6f54bdd23150ad02ac60f2b7b55bd4b2b
- SSDEEP
  
  98304:wpT46CmfHy/AnF2sq2F2LpwgYd8781v4yc3r:w5nCt4F2sq25jq73yc7
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral9
- Target
  
  hacked client (rats) LMAO/kura.exe
- Size
  
  3.3MB
- MD5
  
  208a92b2100ef3dc268b709e7a9aa3e2
- SHA1
  
  2825a5777445dd584289fe35e41c836f8743dbcb
- SHA256
  
  5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0
- SHA512
  
  fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a
- SSDEEP
  
  98304:UXoNdtf6+hovlWtuCZM8vNdvj1mJcEep/gG:UQL/mvHcMo9EeyG
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10
- Target
  
  hacked client (rats) LMAO/vega.exe
- Size
  
  599KB
- MD5
  
  284849a2131da7c109cb496b388bd3ac
- SHA1
  
  9b21005a0bb149ba8222ed5e53dbd3cf312ae404
- SHA256
  
  6cfe6fac4c62d54e6ed35a12607c561beced186069801b20e6eebede85940fa0
- SHA512
  
  3926df84b6bb57286198dda09461e2e1ced230a7215f5ed0ae4a1a6a2d394e57e4ef41a58b2cc63845f8328360a49af327afa8b3157b1c3ab7c14659b5962910
- SSDEEP
  
  12288:H7Ruo1chws0+PNY9G/HyN4OLWP0e6RUFDTv4qJMiKalnQ3S1pc8N/:H78oA0SNYgaN4OYFD7Mi5nv1r
Score

1^/10
behavioral11
- Target
  
  hacked client (rats) LMAO/zoomin.exe
- Size
  
  383KB
- MD5
  
  bc3cd5942f707ce50cc5e1e141d2313e
- SHA1
  
  6ecc49dd6ea7b641a641f5f9a260483a21fd6350
- SHA256
  
  9bcdb52a2a3f1ebad2b546042f660f39f1eb4cc4487dfbf50282e9a3b8492eef
- SHA512
  
  c2c46e83b85f8b131cc27829891ed77b1dd0294e4c6d1cd14b1853c8aa958e140a64e357ae1a43a737272afbfa9dae576ebc678429c2d8e1a16557b579c6e8fc
- SSDEEP
  
  6144:knRL7qME7uPOB+qUxO+Nsh98jO/6X+ZVrG5ddGatYmnerGVFJEEt:qnJavMqUxOfVrGVemnhPE
Score

1^/10
behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Targets

Loads dropped DLL

VMProtect packed file

Legitimate hosting services abused for malware hosting/C2

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12