darkcomet | 86d72f1eeefa2a31a2a3e00ffa15e12982c57aef6b758ced28a30dfea50646b1 | Triage

Submit
Reports

Overview

overview

Static

static

MetaMaskBot.exe

windows7-x64

MetaMaskBot.exe

windows10-2004-x64

Sharing

General

Target

MetaMask_Bot.zip
Size

7.3MB
Sample

230111-a14ltadh4w
MD5

9c55fca87556f770240a494f7afbec4a
SHA1

4743de6c01de64dc84f9c576d1366721ffbd0c26
SHA256

86d72f1eeefa2a31a2a3e00ffa15e12982c57aef6b758ced28a30dfea50646b1
SHA512

0f0ff5db6e96985060f1a3386fa4f2543cbadcde541372aeffcb517fa6c4732b7132c570be052fef879e61fb814de991811f27a50159089788956d438ff8c435
SSDEEP

196608:3VlDTR6uTkkl/fmpKYSA4kboIKRemREWDWS0ZOXTStl:3VlfIuTkklnmpTHHKoMDWhgyl

Score

10^/10

darkcomet redline 01 discovery infostealer persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

MetaMaskBot.exe

Resource

win7-20220812-en

darkcomet redline 01 discovery infostealer persistence rat spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

MetaMaskBot.exe

Resource

win10v2004-20220812-en

darkcomet discovery persistence rat spyware stealer trojan

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
188.120.227.9
Port:
21
Username:
PK1
Password:
PK1

Extracted

Credentials

Protocol: ftp
Host:
79.174.12.59
Port:
21
Username:
hsngfb
Password:
hsnrgthearsgdt

Extracted

Family

redline

Botnet

01

C2

62.109.1.213:25978

Attributes

auth_value
83b3b6de7a5c7e6212ec06f17293a6ba

Targets

- Target
  
  MetaMaskBot.exe
- Size
  
  38KB
- MD5
  
  9169eb7a644bd28cbba4759b30298176
- SHA1
  
  ffe90ae79fd542268818deccc193c8617845acfb
- SHA256
  
  d97d88d757d722f0c078b4d22a5fac76bcb44db740c8b3ea9181e8733ac3c1ca
- SHA512
  
  cb47f0b6e74bc3c255e05ae1c5722100186be86f78df16bba166d2b1e580fa6d7bb1e22744fcd04d081dcc50a9c3580f8f85e3dca6a060cb11ef0a6e0bcfdfb5
- SSDEEP
  
  768:h7ra/Tl+hs3E/jU0dugZ0T2Xtz+lHQW40Zz0D3jHUpi1GouIbV:c/T2X/jN2vxZz0DTHUpouIbV
Score

10^/10

darkcomet redline 01 discovery infostealer persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Program crash
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometredline01discoveryinfostealerpersistenceratspywarestealertrojan

behavioral2

darkcometdiscoverypersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy