Extracted

• • Target

    b231263f-0b92-4f02-9e71-3d6a05534490.jpg

  • Size

    26KB

  • MD5

    99cfb36285d82796d745c8a199f6acff

  • SHA1

    ab990d5b00d7878178a6e77553152149ce4f56c3

  • SHA256

    afc3ff71d364c14eecc12918e7c00a435943005fc86dafa53da529f0a9c95285

  • SHA512

    3a9558a9e628aac5af58f98a9e7056fe5a2741517067f0f9ebac9a800d6bd564433ab0b3910746f99e82573d2ba176241ce3d3b25961a6c27ae828c0d4defd26

  • SSDEEP

    768:Z3Bt4w6U03dxH1/ARsjefQIbwTj5pW0JPfmXkD+lakhXOsX0:Z3BtNZAdxHdARkef7bQ5I8POEqY

  Score

  10^/10

  chimeradanabotadwarebankerbotnetdefense_evasiondiscoverypersistenceprivilege_escalationransomwarespywarestealertrojan

  • Chimera

    Ransomware which infects local and network files, often distributed via Dropbox links.

    ransomwarechimera

  • Chimera Ransomware Loader DLL

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

    ransomware

  • Chimera family

    chimera

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot

  • Danabot family

    danabot

  • Danabot x86 payload

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet

  • Renames multiple (3269) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Disables Task Manager via registry modification

    defense_evasion

  • Downloads MZ/PE file

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops desktop.ini file(s)

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist

    discovery
  behavioral1