Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 01:06
General
-
Target
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe
-
Size
2.9MB
-
MD5
451b1dd1b12dbd70f3cf580deae0696d
-
SHA1
81024d91d94c302e85455badb21e3a2e4f694eda
-
SHA256
ade39b5cb7124f165ed933e8e7f45469aebe1bb85cec8aadff7fee8ae99e499e
-
SHA512
7fc86b44a02d47f6b577d93ff81c0ba7239995b2d4f1e02475d963f593d9d2ac6ab451770ab4a7fefc9d440e33eeff494d6274fab66f4033f97bd0bb9a57d802
-
SSDEEP
49152:P4+T1crpOB3pVPnBaTOhm5PbQqKpcYeD4K2CqFXBSLlTJcGXDlp/yBFwvP:xT1crpY5zWOEB4qYeSCq2Ll93YFq
Malware Config
Extracted
darkcomet
A1Client
subdomain-dns.duckdns.org:3725
DC_MUTEX-9WL5KMH
-
gencode
F7b2NJbuPvt9
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe"C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe"C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 7323⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.batFilesize
221B
MD577ab9076e2d81a6f6c59c0f14f8e2509
SHA1d1d036271ccbfe3354a99aba0689a3345d1eea82
SHA25690f097dac23f30ffdcd3e680703511d5467fc2e19be8045759ec45c52e959214
SHA5127a8978ffbd5313a06d1ab1700f4916e5a54f1fa8d709d221292bf6d21f8f48225ed6959b9d93f05c02a5c62f87a502d6810babfb195d3860d83851f097e05b6b
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exeFilesize
54KB
MD50f01571a3e4c71eb4313175aae86488e
SHA12ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA2568cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794
-
\Users\Admin\AppData\Local\Temp\NingaliNET.exeFilesize
1.4MB
MD5eeda9e3dba1a866465f817af9e7c8212
SHA1b78966eb20fdd1c9b4c22c409b2bb9a9a071d680
SHA256f656b5b6736911a787fc4f3374ff247cfbcb277c7c2945c9c5c462354fea968c
SHA5127a7b008b23d1164cfb851c1dc5aa8545b1a76764c331c41cb7de18647f103ac99b138dd7fad20823c90362e17efa043b5517aa8ba11cb5cf836423ace430eccc
-
memory/2128-44-0x0000000000A70000-0x0000000000BE6000-memory.dmpFilesize
1.5MB
-
memory/2128-55-0x0000000071ABE000-0x0000000071ABF000-memory.dmpFilesize
4KB
-
memory/2128-14-0x0000000071ABE000-0x0000000071ABF000-memory.dmpFilesize
4KB
-
memory/2176-1-0x0000000074DD0000-0x000000007537B000-memory.dmpFilesize
5.7MB
-
memory/2176-2-0x0000000074DD0000-0x000000007537B000-memory.dmpFilesize
5.7MB
-
memory/2176-54-0x0000000074DD0000-0x000000007537B000-memory.dmpFilesize
5.7MB
-
memory/2176-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmpFilesize
4KB
-
memory/2928-27-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-29-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-43-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-28-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-26-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-48-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-47-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-45-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-24-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-23-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-21-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2928-32-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-41-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-20-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-56-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB