MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lampion


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a
SHA3-384 hash: 1df4d28d57fac4baa8a412ed342e411d48315a4ff745bb9d367f98420d9d23280fd26a3fb9b24bd5b8007318122d3513
SHA1 hash: dbaeba54fcae50acc36565d0f61ad73df6df7d45
MD5 hash: 4e4a4a4eb6a77d72af83b2bbd0698593
humanhash: victor-hydrogen-bravo-berlin
File name:AnyDeskAPP.msi
Download: download sample
Signature Lampion
Create hunting rule
File size:1'439'232 bytes
First seen:2023-01-18 23:21:12 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9
Threatray 16'559 similar samples on MalwareBazaar
TLSH T12A659D21338AC53BD9AE02702529966F6569FDA30B3140D7E3C8293E9DF44D2A739F53
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter proxylife
Tags:Lampion msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
IE IE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354282/
Detection(s):
SecuriteInfo.com.PUA.Powershell.Downloader-3.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.newobj.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63c87f1cafdaca54d43939bc/reports/41ce43bc-e910-4568-892c-e346e117fa7e/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1154257
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Hides threads from debuggers
PE file contains section with special chars
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected MalDoc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786989 Sample: AnyDeskAPP.msi Startdate: 19/01/2023 Architecture: WINDOWS Score: 84 51 Antivirus detection for URL or domain 2->51 53 Yara detected MalDoc 2->53 55 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->55 57 PE file contains section with special chars 2->57 8 msiexec.exe 79 34 2->8         started        11 iexplore.exe 2 60 2->11         started        13 msiexec.exe 4 2->13         started        process3 file4 35 C:\Windows\Installer\551ee7.msi, Composite 8->35 dropped 37 C:\Windows\Installer\551ee4.msi, Composite 8->37 dropped 39 C:\Windows\Installer\MSI25EF.tmp, PE32 8->39 dropped 41 4 other files (none is malicious) 8->41 dropped 15 msiexec.exe 8 8->15         started        19 iexplore.exe 1 31 11->19         started        process5 file6 43 C:\Users\user\AppData\Local\...\scr2648.ps1, Unicode 15->43 dropped 45 C:\Users\user\AppData\Local\...\pss264A.ps1, Unicode 15->45 dropped 49 Bypasses PowerShell execution policy 15->49 21 powershell.exe 21 28 15->21         started        signatures7 process8 dnsIp9 47 5.199.162.122, 49697, 80 CHERRYSERVERS1-ASLT Lithuania 21->47 31 C:\redimir\...\Winexacerbado.exe (copy), PE32 21->31 dropped 33 C:\redimir\expedi  o\windows.exe, PE32 21->33 dropped 59 Powershell drops PE file 21->59 26 Winexacerbado.exe 21->26         started        29 conhost.exe 21->29         started        file10 signatures11 process12 signatures13 61 Query firmware table information (likely to detect VMs) 26->61 63 Hides threads from debuggers 26->63 65 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-18 23:20:54 UTC
File Type:
Binary (Archive)
Extracted files:
75
AV detection:
2 of 36 (5.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldu7mdilsuicsv4myecum2f75yxqbt5afhh32apkmxd7mfytuqfa._file
Verdict:
unknown
Similar samples:
2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd
Lampion
41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae
Lampion
5232589e3096a9f29234f1927955c884e544b6177d027658bac201a64a63ce25
Lampion
74da2e5d659f93e151c0c79b2a09691299689ac406c7c5d04d7cfeac79ee7a13
Lampion
acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b
Lampion
b1e542752d5c1a59c5efa28cd63de4235b394bdd700c3e3fb6daf71e10de7d72
Lampion
cbcf193959725222c09482cd5ff685b63c0a6b564e6e07fa7f605bc3bcc2ba6e
Lampion
d565f4380b4f2d25673f08df8e88d331e0daf7946a73c83e8d1630e2b347ddf9
Lampion
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
Lampion
ec229f1ad78606be5679a7eae572f5072b0ab760ad1bb3e0a6dcbb3bc0058b5c
Lampion
+ 16'549 additional samples on MalwareBazaar
Result
Malware family:
lampion
Create hunting rule
Score:
  10/10
Tags:
family:lampion banker evasion persistence trojan
Link:
https://tria.ge/reports/230118-3cj7gsce45/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lampion
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354282/

Comments