Overview

overview

10

Static

static

Doge-Miner203.exe

windows7-x64

10

Doge-Miner203.exe

windows10-2004-x64

10

Resubmissions

27-01-2023 19:10

230127-xvglescg25 10

27-01-2023 17:57

230127-wjv41adg9z 10

27-01-2023 17:47

230127-wcvjwsdg7x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Doge-Miner203.exe

  • Size

    6.1MB

  • Sample

    230127-xvglescg25

  • MD5

    d7e6fd264bc937e3646de58e551a29db

  • SHA1

    1db4664777b17e004f71cee4002f9ccc430413e4

  • SHA256

    463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

  • SHA512

    cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

  • SSDEEP

    98304:tGFp32YKbG4vUdQUbSZ/I2jeYXyxd4494Wc9f:tEMbqQ5Z/pjVifXuT

Score
10/10
asyncratdarkcometwarzonerat1++dec_code1111++dec_pure_1new-july-july4-0new-july-july4-02collectioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

1++Dec_Code111

C2

dgorijan20785.hopto.org:35799

Mutex

DC_MUTEX-LBKFSQL

Attributes
  • gencode

    5RZrbWYF4XYM

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

darkcomet

Botnet

New-July-July4-02

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes
  • gencode

    UkVkDi2EZxxn

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

warzonerat

C2

dgorijan20785.hopto.org:5200

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

1++Dec_Pure_1

C2

dgorijan20785.hopto.org:35799

Mutex

DC_MUTEX-JP69GTU

Attributes
  • gencode

    ZrXR6g2JfYyE

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

C2

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes
  • gencode

    cKUHbX2GsGhs

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

asyncrat

Version

0.5.6A

C2

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808
Mutex

servtle284

Attributes
  • delay

    5

  • install

    true

  • install_file

    wintskl.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Doge-Miner203.exe

    • Size

      6.1MB

    • MD5

      d7e6fd264bc937e3646de58e551a29db

    • SHA1

      1db4664777b17e004f71cee4002f9ccc430413e4

    • SHA256

      463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24

    • SHA512

      cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

    • SSDEEP

      98304:tGFp32YKbG4vUdQUbSZ/I2jeYXyxd4494Wc9f:tEMbqQ5Z/pjVifXuT

    Score
    10/10
    darkcometwarzonerat1++dec_code1111++dec_pure_1new-july-july4-02collectioninfostealerpersistenceratspywarestealertrojanupxasyncratnew-july-july4-0

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks