Overview

overview

10

Static

static

e7b17ce186...72.exe

windows7_x64

10

e7b17ce186...72.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372

  • Size

    3.5MB

  • Sample

    201106-h8ad2c9r7a

  • MD5

    75414ca39510275ef10c221456eaf9a9

  • SHA1

    fe6e88b45f605d33edc1088c2c92db1ac53b92d8

  • SHA256

    e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372

  • SHA512

    13ba953642d07c67fcb48c0e05964b4c1138af45fb66880b02a9f95b1fd54a32a0cf4174bb3e1ff534344b233fdae72867741b0d07189481058df06afff6c95d

Score
10/10
asyncratdarkcometwarzonerat2020nov52020nov88evasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

2020NOV88

C2

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-9ZBZ3MR

Attributes
  • InstallPath

    winrars64.exe

  • gencode

    VDo5BJiqj6oK

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    rar

Extracted

Family

warzonerat

C2

sandyclark255.hopto.org:5200

Extracted

Family

darkcomet

Botnet

2020NOV5

C2

sandyclark255.hopto.org:1605

Mutex

DC_MUTEX-XRQ89VC

Attributes
  • InstallPath

    skypew.exe

  • gencode

    pZP6alYpcpSq

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    skype

Extracted

Family

asyncrat

Version

0.5.6A

C2

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707
Mutex

adweqsds5

Attributes
  • aes_key

    kv5uVyBGd24QqEsgPMVYkssYB7jsYam1

  • anti_detection

    true

  • autorun

    true

  • bdos

    false

  • delay

  • host

    sandyclark255.hopto.org

  • hwid

  • install_file

  • install_folder

    %AppData%

  • mutex

    adweqsds5

  • pastebin_config

    null

  • port

    6606,8808,7707

  • version

    0.5.6A

aes.plain

Targets

    • Target

      e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372

    • Size

      3.5MB

    • MD5

      75414ca39510275ef10c221456eaf9a9

    • SHA1

      fe6e88b45f605d33edc1088c2c92db1ac53b92d8

    • SHA256

      e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372

    • SHA512

      13ba953642d07c67fcb48c0e05964b4c1138af45fb66880b02a9f95b1fd54a32a0cf4174bb3e1ff534344b233fdae72867741b0d07189481058df06afff6c95d

    Score
    10/10
    asyncratdarkcometwarzonerat2020nov52020nov88evasioninfostealerpersistencerattrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Warzone RAT Payload

      rat

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks