Overview

overview

10

Static

static

8

107fjr24.exe

windows7_x64

3

107fjr24.exe

windows10_x64

3

109fjr24.exe

windows7_x64

3

109fjr24.exe

windows10_x64

3

121fjr24.exe

windows7_x64

3

121fjr24.exe

windows10_x64

3

127fjr24.exe

windows7_x64

3

127fjr24.exe

windows10_x64

3

85fjr24.exe

windows7_x64

3

85fjr24.exe

windows10_x64

3

DDos

linux_mips

Rat.exe

windows7_x64

10

Rat.exe

windows10_x64

10

SB360.exe

windows7_x64

9

SB360.exe

windows10_x64

9

Server.exe

windows7_x64

9

Server.exe

windows10_x64

9

Servor.exe

windows7_x64

9

Servor.exe

windows10_x64

9

Sesrver.exe

windows7_x64

1

Sesrver.exe

windows10_x64

1

assvkl.exe

windows7_x64

1

assvkl.exe

windows10_x64

1

bm.exe

windows7_x64

8

bm.exe

windows10_x64

3

cafe.exe

windows7_x64

8

cafe.exe

windows10_x64

8

dqfjr24.exe

windows7_x64

3

dqfjr24.exe

windows10_x64

3

knmbr.exe

windows7_x64

1

knmbr.exe

windows10_x64

1

muzzo.exe

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cbc15bace96277a9115ee0c21b19c14b180b3bc947185c73201487ce7cced200

  • Size

    8.2MB

  • Sample

    220122-aybs1sfehm

  • MD5

    6552314fdf9aa5b941a11bc0c8c2871f

  • SHA1

    4a2ec182e522207ee3106facda220669713ec8e9

  • SHA256

    cbc15bace96277a9115ee0c21b19c14b180b3bc947185c73201487ce7cced200

  • SHA512

    dacd45a29fae72875b70cc3db38fe402c7365c0c4ff9e0cf3521b62c4f6d163b46a876b0cb004a4f1b2ad75a21f8ea63420d33e1dbe3570e12c6f9e4dc31ec64

Score
10/10
darkcometramnitguest16bankerbootkitevasionlinuxpersistenceratspywarestealersuricatatrojanupxworm

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

aqo.x64.me:1912

Mutex

DC_MUTEX-7AAHHXB

Attributes
  • gencode

    6v5t2aHeiJcR

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      107fjr24.exe

    • Size

      141KB

    • MD5

      ab6db3d9ebb1560c9081c9f7b2f0fa27

    • SHA1

      c2327018bba4cec35be4aad1a16b98b369939808

    • SHA256

      d52054e01b1fe26ec947917ad40ad763203750b5bb83018eddf41cc1bb505704

    • SHA512

      cc3190da2ecc61afbe9c871e3039a4e9f7c87c5531c0e778b4c4ae3339cbe44f8d367e10df302b224b69778bff90a3a387994eab44ef78311cd1171dcaab2c56

    Score
    3/10
    behavioral1behavioral2

    • Target

      109fjr24.exe

    • Size

      141KB

    • MD5

      e1245adae6e6bd15e954aefbc2e37547

    • SHA1

      691ab418cfaf9174c04862074b720071a23e4894

    • SHA256

      42642db8fb7d975839368992ee229b6a76fad98840122e8bd12c1d517014708f

    • SHA512

      a8f8d958aef81c87c4bc854d9ab4afdcb4cf4444db0f9aa6d77449946b4e98e7d336cb4011e17293d02c21c86c859ad0916e232f5c0c055827e7791d61ed6488

    Score
    3/10
    behavioral3behavioral4

    • Target

      121fjr24.exe

    • Size

      141KB

    • MD5

      96ef5bf4508b298d0c3be338e6578482

    • SHA1

      6c69382beb07e2a55a71e2ae8960e1e0839cad8f

    • SHA256

      04774a86cde968bcde830d2871d41341129a696f67a3bc99395cf08b29bb6cca

    • SHA512

      c4a7e948a35a4ca7df81784aa090c140f287c837e897c94f8b6f8946ba7c4a04f8917de1249070cb207dad07b3fe9a821231bbf05feb6c222c5a0c2dea00e404

    Score
    3/10
    behavioral5behavioral6

    • Target

      127fjr24.exe

    • Size

      141KB

    • MD5

      d1f772c90546cc3c8e47c1a74764051a

    • SHA1

      1e6a2666cdd92ec8a1e8b783f2984123f6a848dc

    • SHA256

      038419e02a6147a3c698ddec8d69d1a88f518a79ab16917e82955245fbd1af9b

    • SHA512

      167c0f8b29b622eefa4ec038fb988b460a8b811f48767e303b27f40bd8010cc6d4623e32a5a2f60990ce3d30c1fb88abc2ccac8397de009cf6d098616d5a4f2e

    Score
    3/10
    behavioral7behavioral8

    • Target

      85fjr24.exe

    • Size

      141KB

    • MD5

      cc4cd5cb397650e5c5c940c048934dc8

    • SHA1

      8cad5d0aa2211199eedb325232c360cf35580cca

    • SHA256

      34e2f9b95470a8225a9466affd102de9347416fc405c721e5715c12cb47c8d1d

    • SHA512

      31c28a6064489288f22393826cf09bb99720440104c02604bc79457ff422b726b52b0f2fcdc893e5e5304cde1ceeac17306fa9be45297d58c131fede90021770

    Score
    3/10
    behavioral9behavioral10

    • Target

      DDos

    • Size

      745KB

    • MD5

      faa401dd97651b9b6dde523d2efa212e

    • SHA1

      629c216585567eaf856e6cc0402a975330ebe345

    • SHA256

      3fc2a0bee426bc54e4f3261331ec9ea9a3b5c1ad27094734bc828211f9fdf293

    • SHA512

      ab48201e65c45cd77e3460f52af5bbbf0467826dde1039fc6b910db136726c4c47eb311e4b2ac03de348ced8d6c0691d27bcc485399ca7e63851a11a5211687e

    Score
    1/10
    behavioral11

    • Target

      Rat.exe

    • Size

      204KB

    • MD5

      334449566ae89a91a04910a55ce78331

    • SHA1

      4e3a77b0145eccdfceaf5a425c5b75acf8a8093d

    • SHA256

      3245305f1e0c6a580cfcc5e613fbe9731045b53152c093ed579b4f0336f37b6b

    • SHA512

      f3ba014520903b315f73ee95912b8f286a502a20968f99efb6c80df1523ddd236acc1317797f62956085e777c789d6bdcf2d4d248bffea4b7053a7eea282ce21

    Score
    10/10
    ramnitbankerpersistencespywarestealertrojanupxwormevasionsuricata

    • Modifies firewall policy service

      evasion

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE Known Hostile Domain ant.trenz .pl Lookup

      suricata: ET MALWARE Known Hostile Domain ant.trenz .pl Lookup

      suricata

    • suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

      suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

      suricata

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral12behavioral13

    • Target

      SB360.exe

    • Size

      221KB

    • MD5

      db914865093d68e43ba373505e181bed

    • SHA1

      362d30835a783ffc02d4873b4e9fccb2a1013aa1

    • SHA256

      fd247afce88192a9ec92665f78dc85f557be4d729357bf7988da2625b39e46d0

    • SHA512

      261763b65e6da76f3a8b3334bc56933548d60f8de25c70cbda41a5eeb51c33c4554ee3c3c9b2bd6d425665aae16dcb4819e4394f4beb148cdaa413911fdf6124

    Score
    9/10
    persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral14behavioral15

    • Target

      Server.exe

    • Size

      221KB

    • MD5

      636f9d819e55f630488e24dc30284ff2

    • SHA1

      037c01050b62b2eb491d34f801a89304152fe729

    • SHA256

      5be8cc124d72d465883fddc0a4284bd9d7c54fc4ad4c8a56b6cdb36014c09eb6

    • SHA512

      ab74c6912aecbb0f2b50e9647fe3d6efd1734596153ae746e914afae3521bc5791a8decedcea5f20c4cd5729ca4dfa91a6bc5dbbcd7fa99192b1544299611c84

    Score
    9/10
    persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral16behavioral17

    • Target

      Servor.exe

    • Size

      221KB

    • MD5

      b4e396953987d7db9bd1b7d863d3054c

    • SHA1

      063a776a286abc9b53d471cec30afbd47defb7a3

    • SHA256

      c7815a92a415aca590bfec64b7358100919942587a7e1e7ea564294744136b96

    • SHA512

      dab472268f2f6ea55adf9d81ca6b3a3cb23c9a8f50af49bb5d80604a704bb0df0bed8ea3b749eabe26c1f0a9e14cad10d0deebafa297bb06238881ff04fcead4

    Score
    9/10
    persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral18behavioral19

    • Target

      Sesrver.exe

    • Size

      88KB

    • MD5

      c29fc5fb044cdb3420b93992651ec7bf

    • SHA1

      d7005a3a1a36eba87650e47d75ac43987b14daed

    • SHA256

      0ebf734c0f1593866d283e862290549cf62ce5dc23fc1a32a3cc1dc3e0c6141e

    • SHA512

      7dca2050546a05eda4432c295e85f3dfde67bf470b845d153373e38a8ba0255463afe262cd61b5aea33c5737096745b38a59930c5b3af725ba8d83797cda9fb7

    Score
    1/10
    behavioral20behavioral21

    • Target

      assvkl.exe

    • Size

      152KB

    • MD5

      bd149a73a8acf2189c9617ac91ce6f6f

    • SHA1

      bfc23fe8b90ef007efa95a3692d12a3bb3272e48

    • SHA256

      e1ede2abf3e94412564ff62aa01956572995a04778071dbdafe5924448e7a43a

    • SHA512

      ae5b27ddc65d5aaf1b424b28b945eee42e1bd97422be7f24598fae90e2ebfb6f21322bea924d0f8f702e5284281f519e1920619cad95a9da9e6f8aefd69b61bf

    Score
    1/10
    behavioral22behavioral23

    • Target

      bm.exe

    • Size

      444KB

    • MD5

      140ded32fdbf6686dc9dc191ac3259c7

    • SHA1

      8942a1f7e907f8c086d91a4e9008b4eb596d6eb6

    • SHA256

      b8fe3399840229b96834203706e300ba1d5bce01b84d9f56febb1b95a5817321

    • SHA512

      7efaafbb24d1be3f87758f1a50dee17a1d20e5985993c35bb64d9024b6b816328065e01af26e40fcd420b435ba141de1df696080983ab59af28454c8d28011c5

    Score
    8/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral24behavioral25

    • Target

      cafe.exe

    • Size

      201KB

    • MD5

      9bc7781b7d0e6f75afd3175be87a7faa

    • SHA1

      c9a2aac50085912f663758f99952012acddaf7ee

    • SHA256

      6e67d3deb135464cc43679d886625fcc71dbd90d8f669e625a1bf5e6d5ccd094

    • SHA512

      84c84e8b8b1714011bc5c5af9d85c1a21937ee26b7e9a27532163c1b1336fa7fe109a2416158ef4aae260f7ab1d6ba482901d5a42513d9d8253e8dd0c43747b3

    Score
    8/10
    bootkitpersistence

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral26behavioral27

    • Target

      dqfjr24.exe

    • Size

      141KB

    • MD5

      79c01b6869911c263c593c9b4dd239db

    • SHA1

      d6a826434b6bcb720591c067923b069f3b86e817

    • SHA256

      2283703bbcb74562c72f19d5a33040766a68b015d1e567dabe306fb6f7f6098f

    • SHA512

      19bff90c2aa5428abf0f4a23d15e182c827aed2827701a1c63b24c3f4d18a1382b6b29d5c1a77bc7d793fe07a789cb87e4f063b69c1b6439404f958ddeb38511

    Score
    3/10
    behavioral28behavioral29

    • Target

      knmbr.exe

    • Size

      48KB

    • MD5

      0948f2d2dcbce2b419dea831ca795879

    • SHA1

      81b61a57222ecbd41c932fbd10582ad0e4dd7f1c

    • SHA256

      dfc637012a04a153c7838ba5dd3903da41e64e972305b95aba8a58632494d890

    • SHA512

      062dff0e28b6da3da2c0a0574563e32f7447439bdf362b5000d584c1b1eafbd6cb29b9768a5bcf0413e0f6843efcdcc11cc72f422a313b0d6d25a0a9a139a929

    Score
    1/10
    behavioral30behavioral31

    • Target

      muzzo.exe

    • Size

      759KB

    • MD5

      ed4ada0fbf4da07b39942baadd5dfe64

    • SHA1

      3194017d920eb49a50958aab91101e598423bed3

    • SHA256

      95c4c2fc868d338f9b9aa3b3432f076499eb41ad308de0abe11187f790577c37

    • SHA512

      9fba4200e6dee41ef526b588363b829dfa4c66f51662c3c0c7832c8317b6a75e4ddb6b7d9a953d615162a6beab62140ab21fd49a8a70315a035ee0000dc2f24b

    Score
    10/10
    darkcometguest16persistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

5
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

upx
Score
8/10

behavioral1

Score
3/10

behavioral2

Score
3/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

ramnitbankerpersistencespywarestealertrojanupxworm
Score
10/10

behavioral13

ramnitbankerevasionpersistencespywarestealersuricatatrojanupxworm
Score
10/10

behavioral14

persistence
Score
9/10

behavioral15

persistence
Score
9/10

behavioral16

persistence
Score
9/10

behavioral17

persistence
Score
9/10

behavioral18

persistence
Score
9/10

behavioral19

persistence
Score
9/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

upx
Score
8/10

behavioral25

Score
3/10

behavioral26

bootkitpersistence
Score
8/10

behavioral27

Score
8/10

behavioral28

Score
3/10

behavioral29

Score
3/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

darkcometguest16persistencerattrojanupx
Score
10/10