General

  • Target

    020824c1dfea0166bf1bfe3ce59af7a7.exe

  • Size

    2MB

  • Sample

    221005-beftasdac7

  • MD5

    020824c1dfea0166bf1bfe3ce59af7a7

  • SHA1

    e691e2f4607af277472ae32df75c4c42ff94b84c

  • SHA256

    9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

  • SHA512

    025d92d41a81455513daccca997f396fe393909d7b388ec6f05b8eac5feef91e9996aa263501ac1b74962a40c5d9ce190df2be97f21bbfa8146c63cec6cda6b2

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

C2

dgorijan20785.hopto.org:35800

Attributes
gencode
UkVkDi2EZxxn
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

warzonerat

C2

45.74.4.244:5199

dgorijan20785.hopto.org:5199

Extracted

Family

asyncrat

Version

0.5.6A

C2

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Attributes
delay
5
install
true
install_file
wintskl.exe
install_folder
%AppData%
aes.plain

Extracted

Family

darkcomet

Botnet

New-July-July4-0

C2

45.74.4.244:35800

Attributes
gencode
cKUHbX2GsGhs
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Targets

    • Target

      020824c1dfea0166bf1bfe3ce59af7a7.exe

    • Size

      2MB

    • MD5

      020824c1dfea0166bf1bfe3ce59af7a7

    • SHA1

      e691e2f4607af277472ae32df75c4c42ff94b84c

    • SHA256

      9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

    • SHA512

      025d92d41a81455513daccca997f396fe393909d7b388ec6f05b8eac5feef91e9996aa263501ac1b74962a40c5d9ce190df2be97f21bbfa8146c63cec6cda6b2

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Async RAT payload

    • Warzone RAT payload

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation