Extracted

• • Target

    IMG_20240822_150406.jpg

  • Size

    584KB

  • MD5

    5097affc6842d19aa393f03c4138e640

  • SHA1

    b24b8fdd3db9c20eb3687124941b35661ee534c1

  • SHA256

    9859eb9128b962a0d882c7205aa6f5310cf48bab15636a2eb55d81f043644e70

  • SHA512

    6bd73c88cd4b2f7655f073a9e8721b6e448546ab4a41db7eff82f6e001f20bb5d95199fe998625dc381a0420a0052ec026cf963554fc0de69eb30a9e4629c2df

  • SSDEEP

    12288:CjrKKyIuioUKhZ2HezKye7EX3fKlBj0ZURVej8Tu:vyEUKhZ2HezIEX3f0Bwuq

  Score

  10^/10

  chimeradarkcometrevengeratguestdefense_evasiondiscoveryevasionpersistenceransomwareratstealertrojan

  • Chimera

    Ransomware which infects local and network files, often distributed via Dropbox links.

    ransomwarechimera

  • Chimera Ransomware Loader DLL

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

    ransomware

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • RevengeRat Executable

    stealer

  • Downloads MZ/PE file

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1