Overview

overview

10

Static

static

3

libcrypto-3-x64.dll

windows11-21h2-x64

Resubmissions

14-01-2025 09:10

250114-k48eaatncw 8

14-01-2025 08:58

250114-kxfqpavrdj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    libcrypto-3-x64.dll

  • Size

    4.5MB

  • Sample

    250114-kxfqpavrdj

  • MD5

    a9c1f7ca15c65c139bc9d4bf57df2e1e

  • SHA1

    1b1377139a6b289d43a6b1161cd1089ffc817cf9

  • SHA256

    03ec9292dcdfda520638490e11baeefff5ab1b6eb22feb90a22fc771272ce116

  • SHA512

    97f8745dba6330c196de9b822638bfe7f74a86bdcb6726f4bd1d3d917de54f9abcb05163c42255173eac3bde995f0d611af718dbcc0de432b67666bed0c0b073

  • SSDEEP

    98304:Ml+f+K26t8Te5zUeP4xA1CPwDvt3uFGCCQ:4Ctt8Te5zUewxA1CPwDvt3uFGCC

Score
10/10
chimeracredential_accessdefense_evasiondiscoverymacromacro_on_actionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      libcrypto-3-x64.dll

    • Size

      4.5MB

    • MD5

      a9c1f7ca15c65c139bc9d4bf57df2e1e

    • SHA1

      1b1377139a6b289d43a6b1161cd1089ffc817cf9

    • SHA256

      03ec9292dcdfda520638490e11baeefff5ab1b6eb22feb90a22fc771272ce116

    • SHA512

      97f8745dba6330c196de9b822638bfe7f74a86bdcb6726f4bd1d3d917de54f9abcb05163c42255173eac3bde995f0d611af718dbcc0de432b67666bed0c0b073

    • SSDEEP

      98304:Ml+f+K26t8Te5zUeP4xA1CPwDvt3uFGCCQ:4Ctt8Te5zUewxA1CPwDvt3uFGCC

    Score
    10/10
    chimeracredential_accessdefense_evasiondiscoverymacromacro_on_actionpersistenceransomwarespywarestealer

    • Chimera

      Ransomware which infects local and network files, often distributed via Dropbox links.

      ransomwarechimera

    • Chimera Ransomware Loader DLL

      Drops/unpacks executable file which resembles Chimera's Loader.dll.

      ransomware

    • Chimera family

      chimera

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (3260) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks