General
-
Target
mscalc.exe
-
Size
6.2MB
-
Sample
210210-pfzlj3yc7x
-
MD5
8da1beb8d0bd395cb183333e391269f2
-
SHA1
c1a7321e85ce8a80febecab35fe3a926bd4478fe
-
SHA256
31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84
-
SHA512
c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0
Static task
static1
Behavioral task
behavioral1
Sample
mscalc.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
mscalc.exe
Resource
win10v20201028
Malware Config
Extracted
darkcomet
2021New-FEB-444
andronmatskiv20.sytes.net:35887
DC_MUTEX-AXAUMCZ
-
InstallPath
winskype.exe
-
gencode
YTK5uJnaoYn7
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
true
-
reg_key
skypes
Extracted
warzonerat
185.128.25.29:5200
andronmatskiv20.sytes.net:5200
Extracted
asyncrat
0.5.6A
185.128.25.29:6606
185.128.25.29:8808
185.128.25.29:7707
eruhbfgfe87
-
aes_key
N90w8WPVT07mnspqHrDf4BSY88bVY3r9
-
anti_detection
false
-
autorun
true
-
bdos
true
- delay
-
host
185.128.25.29
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
eruhbfgfe87
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
Targets
-
-
Target
mscalc.exe
-
Size
6.2MB
-
MD5
8da1beb8d0bd395cb183333e391269f2
-
SHA1
c1a7321e85ce8a80febecab35fe3a926bd4478fe
-
SHA256
31a6ae954de5d6d0826b2665369588d62d31d9bb3714ad2c6b38c2d965138b84
-
SHA512
c79ab96089f7f6e113c2944f64e2997db1efb7e671800bcf7b6225e4e9c0d95f7cc0a3570d31f891de41b56e1958f625609d05f992ca871263ce418b7f3dc7d0
-
Modifies WinLogon for persistence
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-