General
-
Target
Dogecoin-Miner2022.rar
-
Size
2.0MB
-
Sample
221013-nf3exabgdm
-
MD5
9317d885cc99802c9619078acea649b7
-
SHA1
b7cc56c4476dc0461704aa4218da6e5f3a9aae9b
-
SHA256
5ca12788e41f318c0ce21ad6a83020fe303f9219811451651335e51e8b891b63
-
SHA512
3c03cab75ce122e17ed9c3ff6a85c9e39246c84217bd7b5fa63c2eaab14ad02d4c57dbbaa0d1209d9d1e6cc1e3c53d3b7948e75d020ba803e30e12b29272f524
-
SSDEEP
49152:96Q0aGVKS7iCe+k5IDW8b27ipiHaixkf2knLf9Y82GIrU:UP7csRnAWsHfejnLFY82GIrU
Static task
static1
Behavioral task
behavioral1
Sample
Dogecoin-Miner2022/Dogecoin-Miner2022l.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Dogecoin-Miner2022/Dogecoin-Miner2022l.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
darkcomet
New-July-July4-01
dgorijan20785.hopto.org:35800
DC_MUTEX-U4BEN1Z
-
gencode
8sAQdbHcGDto
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
warzonerat
dgorijan20785.hopto.org:5199
45.74.4.244:5199
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
asyncrat
0.5.6A
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
servtle284
-
delay
5
-
install
true
-
install_file
wintskl.exe
-
install_folder
%AppData%
Targets
-
-
Target
Dogecoin-Miner2022/Dogecoin-Miner2022l.exe
-
Size
2.1MB
-
MD5
36620d7c222248584634f10481f3be35
-
SHA1
2f65c68e266d55fe334f2bb3fcd8f824b090cf5f
-
SHA256
ff2bc238f2ce0d5c0b08af957f4098b63f3c402edc3694370950805780647888
-
SHA512
8d03f58e08c3c6553551e0d7ad7ef8ddc591c0f174d3c99cfc757e466038a4d1829c3643605ec64fbc7f65385036030a704b9f0835ab8bd58f9f3d92ea75928c
-
SSDEEP
49152:MeEP61UdA1RtpDlgwG20lx7xV+59phiYBF1h3tfK2ek0jg:J1UoRtpJg/lx7xY9phBF1ptC2ekM
-
Modifies firewall policy service
-
Modifies security service
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-