Overview

overview

10

Static

static

3

PrivateKey...k8.scr

windows7-x64

10

PrivateKey...k8.scr

windows10-2004-x64

10

Resubmissions

21-02-2024 19:45

240221-ygpwbaed6y 10

21-02-2024 19:44

240221-yga26aeh56 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.rar

  • Size

    1.9MB

  • Sample

    240221-ygpwbaed6y

  • MD5

    b2fcd40069f2702a08154dbe8777e776

  • SHA1

    0545f0252ddb52ae05af94e43faeac6798c098ec

  • SHA256

    1a2d91d4583245bfd63a9b9da90337ba7d4527482c59e26225403500a5cd5379

  • SHA512

    e83ed660eebe06cf290bb68c6247aec4d34f1c1779d6581806b42e7211749cf82fc25fa53c767fcfb672030f3d696bcdc5ab61f86ee95a031050bee8a26fe266

  • SSDEEP

    49152:7L2lgzRXqTq4Du+71fgDdsuUWNLhj1QTWC9b+ZS:nJlXqpDZRYDyuUSLPMWr8

Score
10/10
asyncratbabylonratdarkcometwarzoneratnew-july-july4-0new-july-july4-02nulldiscoveryinfostealerpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

New-July-July4-02

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes
  • gencode

    UkVkDi2EZxxn

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

darkcomet

Botnet

New-July-July4-0

C2

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes
  • gencode

    cKUHbX2GsGhs

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

warzonerat

C2

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

null

C2

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808
Mutex

servtle284

Attributes
  • delay

    5

  • install

    true

  • install_file

    wintskl.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

babylonrat

C2

dgorijan20785.hopto.org

Targets

    • Target

      PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8/PrivateKey_15GECExQTVNM4XCVD8VsTbMFYFcfXh2wk8.scr

    • Size

      2.0MB

    • MD5

      9e24897df35b09b2b67823b1e47a5b24

    • SHA1

      f878bad995d4188f1de75263724f5935fc6a2408

    • SHA256

      6b0fe8528ae159c1c6dbe6275f1e89d1aabafe842cb4ec01df7eb0d47d0a0358

    • SHA512

      1f0b56b1c0166f3a8cf15e231c7a62bb3e3d38e355c37ea3a1a4d02b339564f81559203371eb04ca725e7b1b95b999be29938166570edd4c288eb7ab1c6341e6

    • SSDEEP

      49152:moUM9eEZyfky3a7B9L787fYIdLVYZcl+:bUMHyR3sB9q7CKA

    Score
    10/10
    asyncratdarkcometwarzoneratnew-july-july4-0new-july-july4-02nulldiscoveryinfostealerpersistencerattrojanupxbabylonrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Babylonrat family

      babylonrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks