General

  • Target

    Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe

  • Size

    268KB

  • Sample

    240414-vfz34sab84

  • MD5

    58d328c859ed26102d84959e95de9bca

  • SHA1

    d40750fd353b093a0418b167eccd4c2124c64594

  • SHA256

    71e944842708dde91a617790c517a3295db2ea867f894c4f465bfee2977fbe38

  • SHA512

    8818c5f35e86d902e59d16a8bc945038e6eec4fabb442fd5c015d617c7150e56c71717a199fa82f4c08d8e9d9181fdf23f0ddba83d734e6f2c5e40a00a17565e

  • SSDEEP

    6144:rcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37PpdHQd:rcW7KEZlPzCy37Rde

Malware Config

Extracted

Family

darkcomet

Botnet

ip

C2

kvejo991.ddns.net:1604

Mutex

DC_MUTEX-B1GXAHA

Attributes
  • InstallPath

    winlogon.exe

  • gencode

    w3TGdlYWXTQL

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    windows

Targets

    • Target

      Anubis 2.5 ( Android Banking Botnet ) Panel + APK file.exe

    • Size

      268KB

    • MD5

      58d328c859ed26102d84959e95de9bca

    • SHA1

      d40750fd353b093a0418b167eccd4c2124c64594

    • SHA256

      71e944842708dde91a617790c517a3295db2ea867f894c4f465bfee2977fbe38

    • SHA512

      8818c5f35e86d902e59d16a8bc945038e6eec4fabb442fd5c015d617c7150e56c71717a199fa82f4c08d8e9d9181fdf23f0ddba83d734e6f2c5e40a00a17565e

    • SSDEEP

      6144:rcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37PpdHQd:rcW7KEZlPzCy37Rde

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks