Resubmissions
11/03/2025, 01:41
250311-b4hzyswlx2 10General
-
Target
VMX Spoofer.exe
-
Size
29.9MB
-
Sample
250311-b4hzyswlx2
-
MD5
a1826565a642ea8a947af0bdc9e52fc4
-
SHA1
f645b91db259dbc3ed0188b43ba0a0eeb708fe45
-
SHA256
90b37e700b2fbbf88391345f632c94759503a0ed672b92606feffdc21318ad85
-
SHA512
bdc56afc7c2af7822718d13b6a085edf2e80fb836d997851ea7eb85b0cbe8f8135a88bbf6857ce60c2f27dd90ae93476599250e64cc55719524cb09a8f234b46
-
SSDEEP
786432:low/lmW8HfX3Oql8dPX4EpsfP/FcMnen:blmW0P3jlmPjpsXqM2
Behavioral task
behavioral1
Sample
VMX Spoofer.exe
Resource
win10ltsc2021-20250218-en
Behavioral task
behavioral2
Sample
discord_token_grabber.pyc
Resource
win10ltsc2021-20250218-en
Behavioral task
behavioral3
Sample
get_cookies.pyc
Resource
win10ltsc2021-20250218-en
Behavioral task
behavioral4
Sample
misc.pyc
Resource
win10ltsc2021-20250218-en
Behavioral task
behavioral5
Sample
passwords_grabber.pyc
Resource
win10ltsc2021-20250217-en
Behavioral task
behavioral6
Sample
source_prepared.pyc
Resource
win10ltsc2021-20250217-en
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Targets
-
-
Target
VMX Spoofer.exe
-
Size
29.9MB
-
MD5
a1826565a642ea8a947af0bdc9e52fc4
-
SHA1
f645b91db259dbc3ed0188b43ba0a0eeb708fe45
-
SHA256
90b37e700b2fbbf88391345f632c94759503a0ed672b92606feffdc21318ad85
-
SHA512
bdc56afc7c2af7822718d13b6a085edf2e80fb836d997851ea7eb85b0cbe8f8135a88bbf6857ce60c2f27dd90ae93476599250e64cc55719524cb09a8f234b46
-
SSDEEP
786432:low/lmW8HfX3Oql8dPX4EpsfP/FcMnen:blmW0P3jlmPjpsXqM2
-
Adds autorun key to be loaded by Explorer.exe on startup
-
CrimsonRAT main payload
-
Crimsonrat family
-
Danabot family
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Boot or Logon Autostart Execution: Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Modifies WinLogon
-
Drops file in System32 directory
-
-
-
Target
discord_token_grabber.pyc
-
Size
16KB
-
MD5
924ef065a5167d44170ac81a60cc6fbe
-
SHA1
ebfa171438758dd9810369d3077f618bfab5bc09
-
SHA256
78a36fae762432c89f4c0b185e5c227144817199dbde90d16749c6bfc0fb1dd1
-
SHA512
15a2144fe6e0e081856fd875bcbb239a83da115dce2cda1924f71cfc401f13f681d5047cb80b40cdcdcb617c12d9c12f7bfdc15d38177ace8685c59bb631afdc
-
SSDEEP
192:bIqqTmuEWauge+M6DA8AYv++JDcNQshU8En5W4NXOYd/G7XW:+9avP588A+DDWRm5FOUG7XW
Score3/10 -
-
-
Target
get_cookies.pyc
-
Size
9KB
-
MD5
c9a6c4ec57f83d1aa200fe076665c42c
-
SHA1
42bf07fb97a2ccd29a67067ae9ead40548e046b9
-
SHA256
ec0628cca3f23628d1ff24a88e8215238eee1601cfe9e49a4525fdca15034497
-
SHA512
ffe8ba3ff8edb65ff53b9006fa327991f9c272ace5f7cfb387080d8cd23f994842eee49246f1c32d41d6e081dff1a04f9c6b3e5d5e5e2f3cd96fead21fa09745
-
SSDEEP
192:srJe41QfUE0xZVbFAI6dokUpjYnuHN3gQ:iQBifedokqYnuHN3gQ
Score3/10 -
-
-
Target
misc.pyc
-
Size
4KB
-
MD5
36ed907d6c57862deacc25f4da2bde11
-
SHA1
0e21743b8eff2688e13055bfe26467cd3af43559
-
SHA256
8ebd34d6a4a41a2107ab7000da651fed3996ae0e13291fe6970971b5bc0e5087
-
SHA512
89dca2a052a77c829423d0cc1389e83b645ae97d063ccef2f47188c3b83dfeef6632d116cac714df01c908b148767d59e46006bded668f046fc78a564c52fdd4
-
SSDEEP
96:vDh/7Y8hYPUywfLDwfPsULKliOCpmrSTUpjdaJuo1kUZsX3g:vVR5ywfwXsULPJmDpjwN1kIo3g
Score3/10 -
-
-
Target
passwords_grabber.pyc
-
Size
7KB
-
MD5
cc180daa11732953527c69ac7bbea3b1
-
SHA1
24ea916374f1fe5981219c1c330ba8f851571e9e
-
SHA256
6a67c8b0591fef85f8436d152361796d4bf1fb3ddf46a5af873743cc16ece1fe
-
SHA512
5e4e259999b3155ca5d9f55de691ced7c918acdab8b7c3ef7bca69903d6057a6c102a997b4b2af4a655026b3dd3ea8aed855306633392ab6a9171e70a34dbfbb
-
SSDEEP
192:0tkwY6bLQ3hT8+NE102sGMleDkUhMbvEh:dwY6bLQ3RzHOMER
Score3/10 -
-
-
Target
source_prepared.pyc
-
Size
171KB
-
MD5
7e1927afc400d2d7290c5f3450f8ad90
-
SHA1
fe682567a4419614d3daeb7fea3c4ba362ec853a
-
SHA256
a4b1cc04e4e4e7189d3ae3854ea5e659c1d231f364bc03ad0648c1195e6e40b0
-
SHA512
ffda2edd88998c601218e310d63494a8f4d869e23af29fb4b6d505c7bafdd8130152120ccff4059dc1bfff5b656d7ab17a256303d3db581684941f66f76c21d2
-
SSDEEP
3072:N5UawF05YGl3S2SVfUFoGoD7iD6GxrhQpvqda+oqXsilDY:NE65hlrSNGo6r6Jqda+1sKY
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
13Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1