Overview

overview

10

Static

static

d1e4712d3a...39.exe

windows7_x64

10

d1e4712d3a...39.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d1e4712d3aaa767f88370dd745cef939

  • Size

    952KB

  • Sample

    201025-kghcfwzgpa

  • MD5

    d1e4712d3aaa767f88370dd745cef939

  • SHA1

    a48f26a9d9e1c383938ca74be47c39dafcdf4a49

  • SHA256

    81bb2960d19ec9b9c778b010051b08a27dcf29e9fa4ea382bc5163c7e60f55e3

  • SHA512

    5613da65ca1cd568ddb2cb27014fe09339145976592ed318600019c022f771b297609b058ea740f47ab307c640e62375ebb6fdcb4634213dadb400d2cbfcce79

Score
10/10
darkcometponyguest16discoveryratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

joylynch.ddns.net:100

Mutex

DC_MUTEX-GUU4ZZV

Attributes
  • gencode

    USwcMCrQTcVd

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

pony

C2

http://lynch.herobo.com/pcss/gate.php

Targets

    • Target

      d1e4712d3aaa767f88370dd745cef939

    • Size

      952KB

    • MD5

      d1e4712d3aaa767f88370dd745cef939

    • SHA1

      a48f26a9d9e1c383938ca74be47c39dafcdf4a49

    • SHA256

      81bb2960d19ec9b9c778b010051b08a27dcf29e9fa4ea382bc5163c7e60f55e3

    • SHA512

      5613da65ca1cd568ddb2cb27014fe09339145976592ed318600019c022f771b297609b058ea740f47ab307c640e62375ebb6fdcb4634213dadb400d2cbfcce79

    Score
    10/10
    darkcometponyguest16discoveryratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks