crimsonrat

General

Target

VMX Spoofer.exe
Size

29.9MB
Sample

250311-b4hzyswlx2
MD5

a1826565a642ea8a947af0bdc9e52fc4
SHA1

f645b91db259dbc3ed0188b43ba0a0eeb708fe45
SHA256

90b37e700b2fbbf88391345f632c94759503a0ed672b92606feffdc21318ad85
SHA512

bdc56afc7c2af7822718d13b6a085edf2e80fb836d997851ea7eb85b0cbe8f8135a88bbf6857ce60c2f27dd90ae93476599250e64cc55719524cb09a8f234b46
SSDEEP

786432:low/lmW8HfX3Oql8dPX4EpsfP/FcMnen:blmW0P3jlmPjpsXqM2

Score

10^/10

Malware Config

Extracted

Family

danabot

C2

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Targets

- Target
  
  VMX Spoofer.exe
- Size
  
  29.9MB
- MD5
  
  a1826565a642ea8a947af0bdc9e52fc4
- SHA1
  
  f645b91db259dbc3ed0188b43ba0a0eeb708fe45
- SHA256
  
  90b37e700b2fbbf88391345f632c94759503a0ed672b92606feffdc21318ad85
- SHA512
  
  bdc56afc7c2af7822718d13b6a085edf2e80fb836d997851ea7eb85b0cbe8f8135a88bbf6857ce60c2f27dd90ae93476599250e64cc55719524cb09a8f234b46
- SSDEEP
  
  786432:low/lmW8HfX3Oql8dPX4EpsfP/FcMnen:blmW0P3jlmPjpsXqM2
Score

10^/10

crimsonrat danabot adware aspackv2 banker defense_evasion discovery persistence privilege_escalation rat stealer trojan upx
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot family
  danabot
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Boot or Logon Autostart Execution: Port Monitors
  Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Boot or Logon Autostart Execution: Print Processors
  Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: Clear Persistence
  remove IFEO.
  defense_evasion
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  discord_token_grabber.pyc
- Size
  
  16KB
- MD5
  
  924ef065a5167d44170ac81a60cc6fbe
- SHA1
  
  ebfa171438758dd9810369d3077f618bfab5bc09
- SHA256
  
  78a36fae762432c89f4c0b185e5c227144817199dbde90d16749c6bfc0fb1dd1
- SHA512
  
  15a2144fe6e0e081856fd875bcbb239a83da115dce2cda1924f71cfc401f13f681d5047cb80b40cdcdcb617c12d9c12f7bfdc15d38177ace8685c59bb631afdc
- SSDEEP
  
  192:bIqqTmuEWauge+M6DA8AYv++JDcNQshU8En5W4NXOYd/G7XW:+9avP588A+DDWRm5FOUG7XW
Score

3^/10
behavioral2
- Target
  
  get_cookies.pyc
- Size
  
  9KB
- MD5
  
  c9a6c4ec57f83d1aa200fe076665c42c
- SHA1
  
  42bf07fb97a2ccd29a67067ae9ead40548e046b9
- SHA256
  
  ec0628cca3f23628d1ff24a88e8215238eee1601cfe9e49a4525fdca15034497
- SHA512
  
  ffe8ba3ff8edb65ff53b9006fa327991f9c272ace5f7cfb387080d8cd23f994842eee49246f1c32d41d6e081dff1a04f9c6b3e5d5e5e2f3cd96fead21fa09745
- SSDEEP
  
  192:srJe41QfUE0xZVbFAI6dokUpjYnuHN3gQ:iQBifedokqYnuHN3gQ
Score

3^/10
behavioral3
- Target
  
  misc.pyc
- Size
  
  4KB
- MD5
  
  36ed907d6c57862deacc25f4da2bde11
- SHA1
  
  0e21743b8eff2688e13055bfe26467cd3af43559
- SHA256
  
  8ebd34d6a4a41a2107ab7000da651fed3996ae0e13291fe6970971b5bc0e5087
- SHA512
  
  89dca2a052a77c829423d0cc1389e83b645ae97d063ccef2f47188c3b83dfeef6632d116cac714df01c908b148767d59e46006bded668f046fc78a564c52fdd4
- SSDEEP
  
  96:vDh/7Y8hYPUywfLDwfPsULKliOCpmrSTUpjdaJuo1kUZsX3g:vVR5ywfwXsULPJmDpjwN1kIo3g
Score

3^/10
behavioral4
- Target
  
  passwords_grabber.pyc
- Size
  
  7KB
- MD5
  
  cc180daa11732953527c69ac7bbea3b1
- SHA1
  
  24ea916374f1fe5981219c1c330ba8f851571e9e
- SHA256
  
  6a67c8b0591fef85f8436d152361796d4bf1fb3ddf46a5af873743cc16ece1fe
- SHA512
  
  5e4e259999b3155ca5d9f55de691ced7c918acdab8b7c3ef7bca69903d6057a6c102a997b4b2af4a655026b3dd3ea8aed855306633392ab6a9171e70a34dbfbb
- SSDEEP
  
  192:0tkwY6bLQ3hT8+NE102sGMleDkUhMbvEh:dwY6bLQ3RzHOMER
Score

3^/10
behavioral5
- Target
  
  source_prepared.pyc
- Size
  
  171KB
- MD5
  
  7e1927afc400d2d7290c5f3450f8ad90
- SHA1
  
  fe682567a4419614d3daeb7fea3c4ba362ec853a
- SHA256
  
  a4b1cc04e4e4e7189d3ae3854ea5e659c1d231f364bc03ad0648c1195e6e40b0
- SHA512
  
  ffda2edd88998c601218e310d63494a8f4d869e23af29fb4b6d505c7bafdd8130152120ccff4059dc1bfff5b656d7ab17a256303d3db581684941f66f76c21d2
- SSDEEP
  
  3072:N5UawF05YGl3S2SVfUFoGoD7iD6GxrhQpvqda+oqXsilDY:NE65hlrSNGo6r6Jqda+1sKY
Score

3^/10
behavioral6