File name:	Trojan.Ransom.Chimera
Full analysis:	https://app.any.run/tasks/e2274978-4e34-4710-9593-66801ce76156
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 04, 2024, 20:26:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware chimera stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	60FABD1A2509B59831876D5E2AA71A6B
SHA1:	8B91F3C4F721CB04CC4974FC91056F397AE78FAA
SHA256:	1DACDC296FD6EF6BA817B184CCE9901901C47C01D849ADFA4222BFABFED61838
SSDEEP:	3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKDQ:BMh5H7j5g54YZKXoxOuEEl64HZAiE

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (81)
.dll	\|	Win32 Dynamic Link Library (generic) (7.2)
.exe	\|	Win32 Executable (generic) (4.9)
.exe	\|	Win16/32 Executable Delphi generic (2.2)
.exe	\|	Generic Win/DOS Executable (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2015:09:17 10:24:25+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	217088
InitializedDataSize:	16384
UninitializedDataSize:	-
EntryPoint:	0x3644e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6092) Trojan.Ransom.Chimera.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6092) Trojan.Ransom.Chimera.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6092) Trojan.Ransom.Chimera.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6092) Trojan.Ransom.Chimera.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3976) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(3976) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(3976) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(3976) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2

PID	Process	Filename		Type
6092	Trojan.Ransom.Chimera.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Java\jre1.8.0_271\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML		html
		MD5:C9FBA7DF99B5E41DBD0E7D7C0803092E	SHA256:10256E30715467B38970EBBCEDA2E9D79CBAA2BC78CB4B317A3AFF10E0BBB271
6092	Trojan.Ransom.Chimera.exe	C:\Program Files\Java\jre1.8.0_271\bin\server\Xusage.txt		binary
		MD5:F49A0303F00F24298AD4C0373A349E6F	SHA256:748DEA3EA01713028C8912E19C6FC31E238A66E0C2D0A8DBAF3543994EFCD4CD
6092	Trojan.Ransom.Chimera.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Microsoft Office\root\Office16\1031\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML		html
		MD5:C9FBA7DF99B5E41DBD0E7D7C0803092E	SHA256:10256E30715467B38970EBBCEDA2E9D79CBAA2BC78CB4B317A3AFF10E0BBB271
6092	Trojan.Ransom.Chimera.exe	C:\Program Files\Java\jre1.8.0_271\bin\server\Xusage.txt.crypt		binary
		MD5:F49A0303F00F24298AD4C0373A349E6F	SHA256:748DEA3EA01713028C8912E19C6FC31E238A66E0C2D0A8DBAF3543994EFCD4CD
6092	Trojan.Ransom.Chimera.exe	C:\Program Files\Microsoft Office\root\Office16\1031\DataServices\+NeueSQLServerVerbindung.odc		binary
		MD5:B72F1D735ABD1B60366957FDBD80FA84	SHA256:296D0BC9DD41E071903FA2994426C0BC3DF92A4CCA25BCA953C80A0080E3FCD4
6092	Trojan.Ransom.Chimera.exe	C:\Program Files\Java\jre1.8.0_271\README.txt		binary
		MD5:FCFA959240A9379891E25D5098E5F1D2	SHA256:102ED88524CA40AEAB5FF3F5416CEC0102B2F4A24E1C3453B096A3046BB96EF7
6092	Trojan.Ransom.Chimera.exe	C:\Program Files\Microsoft Office\root\Office16\1031\WacLangPackEula.txt		binary
		MD5:BF5A011AF839AB7704CC312C84879E27	SHA256:BABAE955A74D7B2CC14C61C26632B66B2566A76E648BEF54F351D6E57CBB00B5
6092	Trojan.Ransom.Chimera.exe	C:\Program Files\Microsoft Office\root\Office16\1031\DataServices\+Verbindung mit neuer Datenquelle herstellen.odc.crypt		binary
		MD5:D6DF56E992830B244A0B1B32E8A726C9	SHA256:64EBED6A74C918CF128FECC425839F297DB7BF307C5CBD1D089C5DDDEAFCADAC
6092	Trojan.Ransom.Chimera.exe	C:\Program Files\Microsoft Office\root\Office16\1031\WacLangPackEula.txt.crypt		binary
		MD5:BF5A011AF839AB7704CC312C84879E27	SHA256:BABAE955A74D7B2CC14C61C26632B66B2566A76E648BEF54F351D6E57CBB00B5
6092	Trojan.Ransom.Chimera.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Java\jre1.8.0_271\lib\YOUR_FILES_ARE_ENCRYPTED.HTML		html
		MD5:C9FBA7DF99B5E41DBD0E7D7C0803092E	SHA256:10256E30715467B38970EBBCEDA2E9D79CBAA2BC78CB4B317A3AFF10E0BBB271

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6492	msedge.exe	GET	302	88.221.169.152:443	https://go.microsoft.com/fwlink/?linkid=2133855&bucket=15	unknown	—	—	—
3868	svchost.exe	GET	206	104.103.72.50:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707507571&P2=404&P3=2&P4=cHOQsE5fXCCg5ZK81QG8jEoThGoEFInT%2bFYmHovgMtOZMArgLFTS32u7ZF5I%2fZMPWrLkjfChZP7DHm7H%2fr7whQ%3d%3d	unknown	binary	1.61 Kb	unknown
3868	svchost.exe	HEAD	200	104.103.72.50:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707507571&P2=404&P3=2&P4=cHOQsE5fXCCg5ZK81QG8jEoThGoEFInT%2bFYmHovgMtOZMArgLFTS32u7ZF5I%2fZMPWrLkjfChZP7DHm7H%2fr7whQ%3d%3d	unknown	—	—	unknown
3868	svchost.exe	GET	206	104.103.72.50:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707507571&P2=404&P3=2&P4=cHOQsE5fXCCg5ZK81QG8jEoThGoEFInT%2bFYmHovgMtOZMArgLFTS32u7ZF5I%2fZMPWrLkjfChZP7DHm7H%2fr7whQ%3d%3d	unknown	binary	1.09 Kb	unknown
3868	svchost.exe	GET	206	104.103.72.50:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707507571&P2=404&P3=2&P4=cHOQsE5fXCCg5ZK81QG8jEoThGoEFInT%2bFYmHovgMtOZMArgLFTS32u7ZF5I%2fZMPWrLkjfChZP7DHm7H%2fr7whQ%3d%3d	unknown	binary	3.72 Kb	unknown
3868	svchost.exe	GET	206	104.103.72.50:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707507571&P2=404&P3=2&P4=cHOQsE5fXCCg5ZK81QG8jEoThGoEFInT%2bFYmHovgMtOZMArgLFTS32u7ZF5I%2fZMPWrLkjfChZP7DHm7H%2fr7whQ%3d%3d	unknown	binary	3.53 Kb	unknown
3868	svchost.exe	GET	206	104.103.72.50:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707507571&P2=404&P3=2&P4=cHOQsE5fXCCg5ZK81QG8jEoThGoEFInT%2bFYmHovgMtOZMArgLFTS32u7ZF5I%2fZMPWrLkjfChZP7DHm7H%2fr7whQ%3d%3d	unknown	binary	2.62 Kb	unknown
6492	msedge.exe	GET	304	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/111.0.1661.62?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfull=0&scpguard=0&scpfre=0&scpver=0&osarch=x86_64&osver=10.0.19044&wu=1&devicefamily=desktop&uma=0&sessionid=13&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245	unknown	—	—	—
3868	svchost.exe	GET	206	104.103.72.50:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1707507571&P2=404&P3=2&P4=cHOQsE5fXCCg5ZK81QG8jEoThGoEFInT%2bFYmHovgMtOZMArgLFTS32u7ZF5I%2fZMPWrLkjfChZP7DHm7H%2fr7whQ%3d%3d	unknown	binary	9.66 Kb	unknown
6492	msedge.exe	GET	200	216.58.206.42:80	http://fonts.googleapis.com/css?family=Audiowide	unknown	text	349 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
6092	Trojan.Ransom.Chimera.exe	95.165.168.168:8444	—	PJSC Moscow city telephone network	RU	unknown
6092	Trojan.Ransom.Chimera.exe	158.222.211.81:8080	—	TWC-12271-NYC	US	unknown
6492	msedge.exe	23.43.62.58:443	go.microsoft.com	Akamai International B.V.	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
6492	msedge.exe	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3720	svchost.exe	239.255.255.250:1900	—	—	—	unknown
3868	svchost.exe	104.103.72.50:80	msedge.b.tlu.dl.delivery.mp.microsoft.com	Akamai International B.V.	AT	unknown
6492	msedge.exe	216.58.206.42:80	fonts.googleapis.com	GOOGLE	US	whitelisted
6492	msedge.exe	172.67.165.22:443	www.veryicon.com	CLOUDFLARENET	US	unknown
6492	msedge.exe	216.58.206.35:80	fonts.gstatic.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
bot.whatismyipaddress.com	—	unknown
go.microsoft.com	23.43.62.58	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
msedge.b.tlu.dl.delivery.mp.microsoft.com	104.103.72.50 104.103.72.98	whitelisted
fonts.googleapis.com	216.58.206.42	whitelisted
www.veryicon.com	172.67.165.22 104.21.11.28	unknown
fonts.gstatic.com	216.58.206.35	whitelisted
i.imgur.com	146.75.116.193	shared
edgeassetservice.azureedge.net	13.107.246.45 13.107.213.45	whitelisted
edgeservices.bing.com	92.123.104.12 92.123.104.11 92.123.104.19 92.123.104.16 92.123.104.21 92.123.104.9 92.123.104.10 92.123.104.8 92.123.104.13	whitelisted

PID	Process	Class	Message
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET POLICY Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET MALWARE Possible Chimera Ransomware - Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET POLICY Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET MALWARE Possible Chimera Ransomware - Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET POLICY Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET MALWARE Possible Chimera Ransomware - Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET POLICY Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET MALWARE Possible Chimera Ransomware - Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET POLICY Bitmessage Activity
6092	Trojan.Ransom.Chimera.exe	Potential Corporate Privacy Violation	ET MALWARE Possible Chimera Ransomware - Bitmessage Activity

General Info

Trojan.Ransom.Chimera

60FABD1A2509B59831876D5E2AA71A6B

8B91F3C4F721CB04CC4974FC91056F397AE78FAA

1DACDC296FD6EF6BA817B184CCE9901901C47C01D849ADFA4222BFABFED61838

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKDQ:BMh5H7j5g54YZKXoxOuEEl64HZAiE

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

CHIMERA has been detected (SURICATA)

Renames files like ransomware

SUSPICIOUS

Connects to unusual port

Creates files like ransomware instruction

INFO

Reads the computer name

Application launched itself

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Manual execution by a user

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings