General
-
Target
7ab0594bd177fae88bfd40d8e7e52fd0_NEIKI
-
Size
807KB
-
Sample
240508-nbbfmahe91
-
MD5
7ab0594bd177fae88bfd40d8e7e52fd0
-
SHA1
4c1031590a3a01396b923e13c94b105d8bb7a069
-
SHA256
f536d95a23e8e4c2c88c8137e353140e014b36b1b5406b2c271e80e2aa206a49
-
SHA512
6a8d1b087af645b05efe6a4a122c066b6e5d4311f1c710506161443ef5284434e479f279d106ed0571e88916c2bd519cbc50fc32777a30cfbfaa898fe8d6dee4
-
SSDEEP
12288:Oc1wkpHUfnNmtHA98vVCXS630X1oN4DxbUBySHNend:V1wkp6n8tLtCil8Ra
Malware Config
Extracted
darkcomet
BR
gegesantx.ddns.net:1604
DC_MUTEX-Q59K1YZ
-
InstallPath
Windows/System32\system.exe
-
gencode
6ozMEU10jv2P
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Windows 20H2
Extracted
xworm
3.0
gegesantx.ddns.net:7777
YeiOlQWoA6V8fBW6
-
Install_directory
%AppData%
-
install_file
System.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Hacking
189.106.241.208:4449
onkexgngrcfwhdknx
-
delay
1
-
install
true
-
install_file
System.exe
-
install_folder
%AppData%
Targets
-
-
Target
7ab0594bd177fae88bfd40d8e7e52fd0_NEIKI
-
Size
807KB
-
MD5
7ab0594bd177fae88bfd40d8e7e52fd0
-
SHA1
4c1031590a3a01396b923e13c94b105d8bb7a069
-
SHA256
f536d95a23e8e4c2c88c8137e353140e014b36b1b5406b2c271e80e2aa206a49
-
SHA512
6a8d1b087af645b05efe6a4a122c066b6e5d4311f1c710506161443ef5284434e479f279d106ed0571e88916c2bd519cbc50fc32777a30cfbfaa898fe8d6dee4
-
SSDEEP
12288:Oc1wkpHUfnNmtHA98vVCXS630X1oN4DxbUBySHNend:V1wkp6n8tLtCil8Ra
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Detect Xworm Payload
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3