Resubmissions

11/03/2025, 01:41

250311-b4hzyswlx2 10

General

  • Target

    VMX Spoofer.exe

  • Size

    29.9MB

  • Sample

    250311-b4hzyswlx2

  • MD5

    a1826565a642ea8a947af0bdc9e52fc4

  • SHA1

    f645b91db259dbc3ed0188b43ba0a0eeb708fe45

  • SHA256

    90b37e700b2fbbf88391345f632c94759503a0ed672b92606feffdc21318ad85

  • SHA512

    bdc56afc7c2af7822718d13b6a085edf2e80fb836d997851ea7eb85b0cbe8f8135a88bbf6857ce60c2f27dd90ae93476599250e64cc55719524cb09a8f234b46

  • SSDEEP

    786432:low/lmW8HfX3Oql8dPX4EpsfP/FcMnen:blmW0P3jlmPjpsXqM2

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Targets

    • Target

      VMX Spoofer.exe

    • Size

      29.9MB

    • MD5

      a1826565a642ea8a947af0bdc9e52fc4

    • SHA1

      f645b91db259dbc3ed0188b43ba0a0eeb708fe45

    • SHA256

      90b37e700b2fbbf88391345f632c94759503a0ed672b92606feffdc21318ad85

    • SHA512

      bdc56afc7c2af7822718d13b6a085edf2e80fb836d997851ea7eb85b0cbe8f8135a88bbf6857ce60c2f27dd90ae93476599250e64cc55719524cb09a8f234b46

    • SSDEEP

      786432:low/lmW8HfX3Oql8dPX4EpsfP/FcMnen:blmW0P3jlmPjpsXqM2

    • Adds autorun key to be loaded by Explorer.exe on startup

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    • Crimsonrat family

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      discord_token_grabber.pyc

    • Size

      16KB

    • MD5

      924ef065a5167d44170ac81a60cc6fbe

    • SHA1

      ebfa171438758dd9810369d3077f618bfab5bc09

    • SHA256

      78a36fae762432c89f4c0b185e5c227144817199dbde90d16749c6bfc0fb1dd1

    • SHA512

      15a2144fe6e0e081856fd875bcbb239a83da115dce2cda1924f71cfc401f13f681d5047cb80b40cdcdcb617c12d9c12f7bfdc15d38177ace8685c59bb631afdc

    • SSDEEP

      192:bIqqTmuEWauge+M6DA8AYv++JDcNQshU8En5W4NXOYd/G7XW:+9avP588A+DDWRm5FOUG7XW

    Score
    3/10
    • Target

      get_cookies.pyc

    • Size

      9KB

    • MD5

      c9a6c4ec57f83d1aa200fe076665c42c

    • SHA1

      42bf07fb97a2ccd29a67067ae9ead40548e046b9

    • SHA256

      ec0628cca3f23628d1ff24a88e8215238eee1601cfe9e49a4525fdca15034497

    • SHA512

      ffe8ba3ff8edb65ff53b9006fa327991f9c272ace5f7cfb387080d8cd23f994842eee49246f1c32d41d6e081dff1a04f9c6b3e5d5e5e2f3cd96fead21fa09745

    • SSDEEP

      192:srJe41QfUE0xZVbFAI6dokUpjYnuHN3gQ:iQBifedokqYnuHN3gQ

    Score
    3/10
    • Target

      misc.pyc

    • Size

      4KB

    • MD5

      36ed907d6c57862deacc25f4da2bde11

    • SHA1

      0e21743b8eff2688e13055bfe26467cd3af43559

    • SHA256

      8ebd34d6a4a41a2107ab7000da651fed3996ae0e13291fe6970971b5bc0e5087

    • SHA512

      89dca2a052a77c829423d0cc1389e83b645ae97d063ccef2f47188c3b83dfeef6632d116cac714df01c908b148767d59e46006bded668f046fc78a564c52fdd4

    • SSDEEP

      96:vDh/7Y8hYPUywfLDwfPsULKliOCpmrSTUpjdaJuo1kUZsX3g:vVR5ywfwXsULPJmDpjwN1kIo3g

    Score
    3/10
    • Target

      passwords_grabber.pyc

    • Size

      7KB

    • MD5

      cc180daa11732953527c69ac7bbea3b1

    • SHA1

      24ea916374f1fe5981219c1c330ba8f851571e9e

    • SHA256

      6a67c8b0591fef85f8436d152361796d4bf1fb3ddf46a5af873743cc16ece1fe

    • SHA512

      5e4e259999b3155ca5d9f55de691ced7c918acdab8b7c3ef7bca69903d6057a6c102a997b4b2af4a655026b3dd3ea8aed855306633392ab6a9171e70a34dbfbb

    • SSDEEP

      192:0tkwY6bLQ3hT8+NE102sGMleDkUhMbvEh:dwY6bLQ3RzHOMER

    Score
    3/10
    • Target

      source_prepared.pyc

    • Size

      171KB

    • MD5

      7e1927afc400d2d7290c5f3450f8ad90

    • SHA1

      fe682567a4419614d3daeb7fea3c4ba362ec853a

    • SHA256

      a4b1cc04e4e4e7189d3ae3854ea5e659c1d231f364bc03ad0648c1195e6e40b0

    • SHA512

      ffda2edd88998c601218e310d63494a8f4d869e23af29fb4b6d505c7bafdd8130152120ccff4059dc1bfff5b656d7ab17a256303d3db581684941f66f76c21d2

    • SSDEEP

      3072:N5UawF05YGl3S2SVfUFoGoD7iD6GxrhQpvqda+oqXsilDY:NE65hlrSNGo6r6Jqda+1sKY

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks