Overview

overview

10

Static

static

mscalc.exe

windows7_x64

10

mscalc.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    mscalc.exe

  • Size

    6.2MB

  • Sample

    210210-pfzlj3yc7x

  • MD5

    8da1beb8d0bd395cb183333e391269f2

  • SHA1

    c1a7321e85ce8a80febecab35fe3a926bd4478fe

  • SHA256

    31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84

  • SHA512

    c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0

Score
10/10
asyncratdarkcometwarzonerat2021new-feb-444evasioninfostealerpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

2021New-FEB-444

C2

andronmatskiv20.sytes.net:35887

Mutex

DC_MUTEX-AXAUMCZ

Attributes
  • InstallPath

    winskype.exe

  • gencode

    YTK5uJnaoYn7

  • install

    true

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    skypes

Extracted

Family

warzonerat

C2

185.128.25.29:5200

andronmatskiv20.sytes.net:5200

Extracted

Family

asyncrat

Version

0.5.6A

C2

185.128.25.29:6606

185.128.25.29:8808

185.128.25.29:7707
Mutex

eruhbfgfe87

Attributes
  • aes_key

    N90w8WPVT07mnspqHrDf4BSY88bVY3r9

  • anti_detection

    false

  • autorun

    true

  • bdos

    true

  • delay

  • host

    185.128.25.29

  • hwid

  • install_file

  • install_folder

    %AppData%

  • mutex

    eruhbfgfe87

  • pastebin_config

    null

  • port

    6606,8808,7707

  • version

    0.5.6A

aes.plain

Targets

    • Target

      mscalc.exe

    • Size

      6.2MB

    • MD5

      8da1beb8d0bd395cb183333e391269f2

    • SHA1

      c1a7321e85ce8a80febecab35fe3a926bd4478fe

    • SHA256

      31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84

    • SHA512

      c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0

    Score
    10/10
    asyncratdarkcometwarzonerat2021new-feb-444infostealerpersistencerattrojanupxevasion

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Warzone RAT Payload

      rat

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks