Extracted

Extracted

• • Target

    tyler.jpg

  • Size

    47KB

  • MD5

    a4e8e2d3b2f54a7d91f73f25280e29f4

  • SHA1

    77ecb0a6391a72b0deba66b651adc70aa9e31e97

  • SHA256

    67b2c63de52b106cb5067d162d231d04d9a4c977b470014b8bd7e3142451c0c7

  • SHA512

    5c100af3d55901a5aff5c53490c797b243315cd66a2c319cdbcd1b15308470fcda987222bf236ef415fdd35cd0803b9b08aac8843d2d9fcdbf1f79d4e5fadb48

  • SSDEEP

    768:HDZyIdPap+jg0263KE+lP2CDvz9IT7S+uulO+M0+Kd4d9gg770gde4avcC+8JnGs:HDRdPE+kA6EO2O+z5lfV+KdA9gg7Y4a5

  Score

  10^/10

  chimeracrimsonratrevengeratguestdiscoveryevasionpersistenceransomwareratstealertrojanupx

  • Chimera

    Ransomware which infects local and network files, often distributed via Dropbox links.

    ransomwarechimera

  • Chimera Ransomware Loader DLL

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

    ransomware

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Renames multiple (3280) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • RevengeRat Executable

    stealer

  • Disables Task Manager via registry modification

    evasion

  • Drops startup file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1