Overview

overview

10

Static

static

Private_Ke...d6.scr

windows7-x64

10

Private_Ke...d6.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr

  • Size

    1.8MB

  • Sample

    230128-x79sqsga33

  • MD5

    e9c7c1618703c0a089195fcf12ff572a

  • SHA1

    d484e95c67866254562b534169bbc4e8ca8aa759

  • SHA256

    ad44f81905413748eaab45e02235be449046433f2acf0edc8bdc0f5d73fca77a

  • SHA512

    976b7669a32eaa57d78f21341287111eb4602f018d74075ec57a9347c892af200784c5ad14d8e5bb536d8c16c735092e110f11dae6eaac502b093d176a10bb64

  • SSDEEP

    49152:nfU0nviMsLVdf2Hc5HxK0Es0WLw2ifBJ6Zy:nfHKzLzf2QAJrf0y

Score
10/10
asyncratdarkcometwarzoneratnew-july-july4-0new-july-july4-01infostealerpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-01

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-N3AV3EU

Attributes
  • gencode

    sGSTFQ1pY1TB

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

asyncrat

Version

0.5.6A

C2

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808
Mutex

servtle284

Attributes
  • delay

    5

  • install

    true

  • install_file

    wintskl.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

warzonerat

C2

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

C2

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes
  • gencode

    cKUHbX2GsGhs

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Targets

    • Target

      Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr

    • Size

      1.8MB

    • MD5

      e9c7c1618703c0a089195fcf12ff572a

    • SHA1

      d484e95c67866254562b534169bbc4e8ca8aa759

    • SHA256

      ad44f81905413748eaab45e02235be449046433f2acf0edc8bdc0f5d73fca77a

    • SHA512

      976b7669a32eaa57d78f21341287111eb4602f018d74075ec57a9347c892af200784c5ad14d8e5bb536d8c16c735092e110f11dae6eaac502b093d176a10bb64

    • SSDEEP

      49152:nfU0nviMsLVdf2Hc5HxK0Es0WLw2ifBJ6Zy:nfHKzLzf2QAJrf0y

    Score
    10/10
    asyncratdarkcometwarzoneratnew-july-july4-0new-july-july4-01infostealerpersistencerattrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Async RAT payload

      rat

    • Warzone RAT payload

      rat

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks