General
-
Target
e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372
-
Size
3.5MB
-
Sample
201106-h8ad2c9r7a
-
MD5
75414ca39510275ef10c221456eaf9a9
-
SHA1
fe6e88b45f605d33edc1088c2c92db1ac53b92d8
-
SHA256
e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372
-
SHA512
13ba953642d07c67fcb48c0e05964b4c1138af45fb66880b02a9f95b1fd54a32a0cf4174bb3e1ff534344b233fdae72867741b0d07189481058df06afff6c95d
Static task
static1
Behavioral task
behavioral1
Sample
e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372.exe
Resource
win10v20201028
Malware Config
Extracted
darkcomet
2020NOV88
sandyclark255.hopto.org:35887
DC_MUTEX-9ZBZ3MR
-
InstallPath
winrars64.exe
-
gencode
VDo5BJiqj6oK
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
true
-
reg_key
rar
Extracted
warzonerat
sandyclark255.hopto.org:5200
Extracted
darkcomet
2020NOV5
sandyclark255.hopto.org:1605
DC_MUTEX-XRQ89VC
-
InstallPath
skypew.exe
-
gencode
pZP6alYpcpSq
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
true
-
reg_key
skype
Extracted
asyncrat
0.5.6A
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
adweqsds5
-
aes_key
kv5uVyBGd24QqEsgPMVYkssYB7jsYam1
-
anti_detection
true
-
autorun
true
-
bdos
false
- delay
-
host
sandyclark255.hopto.org
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
adweqsds5
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
Targets
-
-
Target
e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372
-
Size
3.5MB
-
MD5
75414ca39510275ef10c221456eaf9a9
-
SHA1
fe6e88b45f605d33edc1088c2c92db1ac53b92d8
-
SHA256
e7b17ce186cf8130fcf42c9b7687ff7974e02dea84a9b13ff38799dd8fdf3372
-
SHA512
13ba953642d07c67fcb48c0e05964b4c1138af45fb66880b02a9f95b1fd54a32a0cf4174bb3e1ff534344b233fdae72867741b0d07189481058df06afff6c95d
-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-