Overview

overview

10

Static

static

PROFORMA.exe

windows7-x64

1

PROFORMA.exe

windows10-2004-x64

1

PROFORMA2.exe

windows7-x64

10

PROFORMA2.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    11d71f63829578f73939cbd65e0a1b30d8b2e87931b31316064541943a1440bc

  • Size

    473KB

  • Sample

    221125-ffjzkacc25

  • MD5

    34c826181c39fd1669e902ea6d6a09a1

  • SHA1

    d395c87a25b62753e11b7ebfa77fbf9617c670e5

  • SHA256

    11d71f63829578f73939cbd65e0a1b30d8b2e87931b31316064541943a1440bc

  • SHA512

    0101cacbbebb05862255c1d2b5d8cdb3df8d350181b392cf57cb591d22fcf320aeaf69991fe840e0e01f10f7922130d97f00858df43d2e5d16dd42fa7ff24f3b

  • SSDEEP

    12288:bwdv2g3QQy5T3mYyQPZlk9m6TeXHHFk4FmepyaLdY89asq:bwF2go13376aYKyudYqk

Score
10/10
darkcometnewspersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

NEWS

C2

informer.ddns.net:1605

informer.ddns.net:1606
Mutex

DC_MUTEX-L6AVTYM

Attributes
  • gencode

    kNGa0laUgQF5

  • install

    false

  • offline_keylogger

    true

  • password

    chinelo4545

  • persistence

    false

Targets

    • Target

      PROFORMA.exe

    • Size

      290KB

    • MD5

      17ab913384c61e2cab2c32e25f6f127e

    • SHA1

      adc9abb82f0be7df5351f80f85a75209ea691f7c

    • SHA256

      317cf2b96b1fca04ccc746dc7cfc24776bbb09ed1eae2932a184c6081f89784e

    • SHA512

      e2057ba7d14708bc8e4cd6fc418c35ce0dc51c8bd27c6ac364b931c6e412937e3cd1fd747b3f1b59c350cfec427b33578dd692c2bd0f48c64d14162f955c2249

    • SSDEEP

      6144:PMapLqoIeQMDFdaioxK08X4L1EuQHZIL510OYWjW2o/+:PMuLqoIebdaioI08XuKubd110

    Score
    1/10
    behavioral1behavioral2

    • Target

      PROFORMA2.exe

    • Size

      343KB

    • MD5

      69661f894bc24159f7796f022db64c67

    • SHA1

      733c507e16327c2db7715c2704db3b4bff01e026

    • SHA256

      1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6

    • SHA512

      3b918d4faff57c5d6da75c0b94d84f69220555c9a4522d780a1764b5612261971a0b162546d5b3404198e1920c475194dc07c6019dff6d3bb778e14dfbf2fe3c

    • SSDEEP

      6144:xMaed6qRf1VYOnThmxoTfqlac/lTcspV+qrjQKcW:xMnvRfblF5tyxfkqrcK

    Score
    10/10
    darkcometnewspersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks