General
-
Target
Dogecoin-Miner2022.exe
-
Size
5.8MB
-
Sample
230108-yhc8xaaa3z
-
MD5
e72b1feb2a030b80c0c5209dbdfc6b94
-
SHA1
bf5c2c1dc9a1f65938af801146022939216a4504
-
SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365
-
SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a
-
SSDEEP
98304:WHfHfHfHFH1m9kS4Wcv9PSQDBf3M3fWtUVtXHEtAYvzh:2///91m93NcvVSWVM3f8A
Static task
static1
Behavioral task
behavioral1
Sample
Dogecoin-Miner2022.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Dogecoin-Miner2022.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
@333++JAN_Code3333
dgorijan20785.hopto.org:35800
DC_MUTEX-3DU7V7J
-
InstallPath
winrars.exe
-
gencode
Wv1Q34JHUltQ
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
-
reg_key
winrar
Extracted
darkcomet
New-July-July4-01
dgorijan20785.hopto.org:35800
DC_MUTEX-U4BEN1Z
-
gencode
8sAQdbHcGDto
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
warzonerat
45.74.4.244:5199
dgorijan20785.hopto.org:5199
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
asyncrat
0.5.6A
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
servtle284
-
delay
5
-
install
true
-
install_file
wintskl.exe
-
install_folder
%AppData%
Extracted
darkcomet
@1++Dec_Code1
dgorijan20785.hopto.org:35800
DC_MUTEX-QKTE9F0
-
gencode
mHPyGzxUU6he
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Targets
-
-
Target
Dogecoin-Miner2022.exe
-
Size
5.8MB
-
MD5
e72b1feb2a030b80c0c5209dbdfc6b94
-
SHA1
bf5c2c1dc9a1f65938af801146022939216a4504
-
SHA256
96805d4d3e908f6ecc11cd5334a78acf2f6073769b59f1a4bb0d67ef1d040365
-
SHA512
2b0e0367afa6f6f5a7d3d0c5a45e3b7207ba22c78cc76fc2ba53cc874bbb78973765a361f593cde168218d871cd65bd290cd1c07340bcf66d11d6ac8d8f6e19a
-
SSDEEP
98304:WHfHfHfHFH1m9kS4Wcv9PSQDBf3M3fWtUVtXHEtAYvzh:2///91m93NcvVSWVM3f8A
-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-