Overview

overview

10

Static

static

020824c1df...a7.exe

windows7-x64

10

020824c1df...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    020824c1dfea0166bf1bfe3ce59af7a7.exe

  • Size

    2MB

  • Sample

    221005-beftasdac7

  • MD5

    020824c1dfea0166bf1bfe3ce59af7a7

  • SHA1

    e691e2f4607af277472ae32df75c4c42ff94b84c

  • SHA256

    9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

  • SHA512

    025d92d41a81455513daccca997f396fe393909d7b388ec6f05b8eac5feef91e9996aa263501ac1b74962a40c5d9ce190df2be97f21bbfa8146c63cec6cda6b2

  • SSDEEP

    49152:J6oUM9eEZyfky3a7B9L787fYIdLVYZcl+:RUMHyR3sB9q7CKA

Score
10/10
asyncratdarkcometwarzoneratnew-july-july4-0new-july-july4-02collectioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes
  • gencode

    UkVkDi2EZxxn

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

warzonerat

C2

45.74.4.244:5199

dgorijan20785.hopto.org:5199

Extracted

Family

asyncrat

Version

0.5.6A

C2

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808
Mutex

servtle284

Attributes
  • delay

    5

  • install

    true

  • install_file

    wintskl.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

New-July-July4-0

C2

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes
  • gencode

    cKUHbX2GsGhs

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Targets

    • Target

      020824c1dfea0166bf1bfe3ce59af7a7.exe

    • Size

      2MB

    • MD5

      020824c1dfea0166bf1bfe3ce59af7a7

    • SHA1

      e691e2f4607af277472ae32df75c4c42ff94b84c

    • SHA256

      9bc9e9a3db288348e68fbf59c43df4ed9cc72a029aa70a31e0d7f325bf05b381

    • SHA512

      025d92d41a81455513daccca997f396fe393909d7b388ec6f05b8eac5feef91e9996aa263501ac1b74962a40c5d9ce190df2be97f21bbfa8146c63cec6cda6b2

    • SSDEEP

      49152:J6oUM9eEZyfky3a7B9L787fYIdLVYZcl+:RUMHyR3sB9q7CKA

    Score
    10/10
    asyncratdarkcometwarzoneratnew-july-july4-0new-july-july4-02collectioninfostealerpersistenceratspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks