chimera | c5b23ac2026c16bfa8c5783cdc8f980e46d146666eb5e5fbb8f5a84d029a4b8a | Triage

Submit
Reports

Overview

overview

Static

static

1

penisware2.html

windows11-21h2-x64

Sharing

General

Target

penisware2.exe
Size

4KB
Sample

241027-wkcn2s1ejk
MD5

e0d21602c9cf14e35c33f9cc4f6958ae
SHA1

0d2b10cb46d1a5def7665527ece2e40210cd4938
SHA256

c5b23ac2026c16bfa8c5783cdc8f980e46d146666eb5e5fbb8f5a84d029a4b8a
SHA512

03ceb24c9f080fdcd17f2be8c83ef23b3ab06b2d47e9d187c4ec2562841f35971fafec750da0c04b883eda4cb1e2fe52e333c7422039fa8b297d543fab7bd054
SSDEEP

96:1j9jwIjYjUDK/D5DMF+BOiVAZpCZLqmePrRU9PaQxJbGD:1j9jhjYjIK/Vo+t6kZ2mePry9ieJGD

Score

10^/10

chimera defense_evasion discovery ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

penisware2.html

Resource

win11-20241007-en

chimera defense_evasion discovery ransomware spyware stealer

windows11-21h2-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  penisware2.exe
- Size
  
  4KB
- MD5
  
  e0d21602c9cf14e35c33f9cc4f6958ae
- SHA1
  
  0d2b10cb46d1a5def7665527ece2e40210cd4938
- SHA256
  
  c5b23ac2026c16bfa8c5783cdc8f980e46d146666eb5e5fbb8f5a84d029a4b8a
- SHA512
  
  03ceb24c9f080fdcd17f2be8c83ef23b3ab06b2d47e9d187c4ec2562841f35971fafec750da0c04b883eda4cb1e2fe52e333c7422039fa8b297d543fab7bd054
- SSDEEP
  
  96:1j9jwIjYjUDK/D5DMF+BOiVAZpCZLqmePrRU9PaQxJbGD:1j9jhjYjIK/Vo+t6kZ2mePry9ieJGD
Score

10^/10

chimera defense_evasion discovery ransomware spyware stealer
- Chimera
  Ransomware which infects local and network files, often distributed via Dropbox links.
  ransomware chimera
- Chimera Ransomware Loader DLL
  Drops/unpacks executable file which resembles Chimera's Loader.dll.
  ransomware
- Chimera family
  chimera
- Renames multiple (3271) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

chimeradefense_evasiondiscoveryransomwarespywarestealer

© 2018-2024

Terms | Privacy