darkcomet

Sharing

Copy URL

Twitter E-mail

General

Target

энео.exe
Size

37KB
Sample

220712-v29jnseah7
MD5

560bbfc461eedb8cf63829ba541cf3d9
SHA1

ed000f409135eae31b75f6099ab67ed51f33682c
SHA256

7a044001bcda446a4ab9b93675974040c7fe94c56f29958a32ba4525649ffa4c
SHA512

8faa7c76316c43e33b929295a9141f9bdf0630c24d60c2ec1dd92e7216520850fb3fbcf48e7141ade89e3efeb801c658122bd71551a40b79ce05049b212afafb

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

лох

7.tcp.eu.ngrok.io:11298

Mutex

4d4d7566839b1261810c4b0008fc6da7

Attributes

reg_key
4d4d7566839b1261810c4b0008fc6da7
splitter
|'|'|

Targets

- Target
  
  энео.exe
- Size
  
  37KB
- MD5
  
  560bbfc461eedb8cf63829ba541cf3d9
- SHA1
  
  ed000f409135eae31b75f6099ab67ed51f33682c
- SHA256
  
  7a044001bcda446a4ab9b93675974040c7fe94c56f29958a32ba4525649ffa4c
- SHA512
  
  8faa7c76316c43e33b929295a9141f9bdf0630c24d60c2ec1dd92e7216520850fb3fbcf48e7141ade89e3efeb801c658122bd71551a40b79ce05049b212afafb
Score

10^/10

darkcomet neshta njrat лох evasion persistence rat spyware stealer suricata trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Detect Neshta payload
- Modifies WinLogon for persistence
  persistence
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
  suricata
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1