Overview
overview
10Static
static
3NingaliNET...or.dll
windows7-x64
1NingaliNET...or.dll
windows10-2004-x64
1NingaliNET...ib.dll
windows7-x64
1NingaliNET...ib.dll
windows10-2004-x64
1NingaliNET...il.dll
windows7-x64
1NingaliNET...il.dll
windows10-2004-x64
1NingaliNET...m].exe
windows7-x64
10NingaliNET...m].exe
windows10-2004-x64
10NingaliNET...l].exe
windows7-x64
1NingaliNET...l].exe
windows10-2004-x64
1NingaliNET...er.exe
windows7-x64
1NingaliNET...er.exe
windows10-2004-x64
1NingaliNET...er.exe
windows7-x64
1NingaliNET...er.exe
windows10-2004-x64
1NingaliNET...nt.exe
windows7-x64
1NingaliNET...nt.exe
windows10-2004-x64
1NingaliNET...al.exe
windows7-x64
1NingaliNET...al.exe
windows10-2004-x64
1NingaliNET...es.exe
windows7-x64
1NingaliNET...es.exe
windows10-2004-x64
1NingaliNET...er.dll
windows7-x64
1NingaliNET...er.dll
windows10-2004-x64
1NingaliNET...np.dll
windows7-x64
1NingaliNET...np.dll
windows10-2004-x64
1Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:06
Static task
static1
Behavioral task
behavioral1
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/IconInjector.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/IconInjector.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Interop.NATUPNPLib.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Interop.NATUPNPLib.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Mono.Cecil.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Mono.Cecil.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET [Original].exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET [Original].exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Filebinder.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Filebinder.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Server.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Server.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlentrypoint.exe
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlentrypoint.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlnormal.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlnormal.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Res/res.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Res/res.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/SocketServer.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/SocketServer.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/upnp.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/upnp.dll
Resource
win10v2004-20240426-en
General
-
Target
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe
-
Size
2.9MB
-
MD5
451b1dd1b12dbd70f3cf580deae0696d
-
SHA1
81024d91d94c302e85455badb21e3a2e4f694eda
-
SHA256
ade39b5cb7124f165ed933e8e7f45469aebe1bb85cec8aadff7fee8ae99e499e
-
SHA512
7fc86b44a02d47f6b577d93ff81c0ba7239995b2d4f1e02475d963f593d9d2ac6ab451770ab4a7fefc9d440e33eeff494d6274fab66f4033f97bd0bb9a57d802
-
SSDEEP
49152:P4+T1crpOB3pVPnBaTOhm5PbQqKpcYeD4K2CqFXBSLlTJcGXDlp/yBFwvP:xT1crpY5zWOEB4qYeSCq2Ll93YFq
Malware Config
Extracted
darkcomet
A1Client
subdomain-dns.duckdns.org:3725
DC_MUTEX-9WL5KMH
-
gencode
F7b2NJbuPvt9
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
NingaliNET.exedllhost.exepid process 2128 NingaliNET.exe 2928 dllhost.exe -
Loads dropped DLL 7 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exeWerFault.exepid process 2176 NingaliNET Cracked [VersionPremium].exe 2176 NingaliNET Cracked [VersionPremium].exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exedescription pid process target process PID 2176 set thread context of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2384 2128 WerFault.exe NingaliNET.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2064 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exepid process 2176 NingaliNET Cracked [VersionPremium].exe 2176 NingaliNET Cracked [VersionPremium].exe 2176 NingaliNET Cracked [VersionPremium].exe 2176 NingaliNET Cracked [VersionPremium].exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exedllhost.exedescription pid process Token: SeDebugPrivilege 2176 NingaliNET Cracked [VersionPremium].exe Token: SeIncreaseQuotaPrivilege 2928 dllhost.exe Token: SeSecurityPrivilege 2928 dllhost.exe Token: SeTakeOwnershipPrivilege 2928 dllhost.exe Token: SeLoadDriverPrivilege 2928 dllhost.exe Token: SeSystemProfilePrivilege 2928 dllhost.exe Token: SeSystemtimePrivilege 2928 dllhost.exe Token: SeProfSingleProcessPrivilege 2928 dllhost.exe Token: SeIncBasePriorityPrivilege 2928 dllhost.exe Token: SeCreatePagefilePrivilege 2928 dllhost.exe Token: SeBackupPrivilege 2928 dllhost.exe Token: SeRestorePrivilege 2928 dllhost.exe Token: SeShutdownPrivilege 2928 dllhost.exe Token: SeDebugPrivilege 2928 dllhost.exe Token: SeSystemEnvironmentPrivilege 2928 dllhost.exe Token: SeChangeNotifyPrivilege 2928 dllhost.exe Token: SeRemoteShutdownPrivilege 2928 dllhost.exe Token: SeUndockPrivilege 2928 dllhost.exe Token: SeManageVolumePrivilege 2928 dllhost.exe Token: SeImpersonatePrivilege 2928 dllhost.exe Token: SeCreateGlobalPrivilege 2928 dllhost.exe Token: 33 2928 dllhost.exe Token: 34 2928 dllhost.exe Token: 35 2928 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dllhost.exepid process 2928 dllhost.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
NingaliNET Cracked [VersionPremium].execmd.execmd.exeNingaliNET.exedescription pid process target process PID 2176 wrote to memory of 2128 2176 NingaliNET Cracked [VersionPremium].exe NingaliNET.exe PID 2176 wrote to memory of 2128 2176 NingaliNET Cracked [VersionPremium].exe NingaliNET.exe PID 2176 wrote to memory of 2128 2176 NingaliNET Cracked [VersionPremium].exe NingaliNET.exe PID 2176 wrote to memory of 2128 2176 NingaliNET Cracked [VersionPremium].exe NingaliNET.exe PID 2176 wrote to memory of 2160 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2176 wrote to memory of 2160 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2176 wrote to memory of 2160 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2176 wrote to memory of 2160 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2160 wrote to memory of 2312 2160 cmd.exe reg.exe PID 2160 wrote to memory of 2312 2160 cmd.exe reg.exe PID 2160 wrote to memory of 2312 2160 cmd.exe reg.exe PID 2160 wrote to memory of 2312 2160 cmd.exe reg.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2928 2176 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2176 wrote to memory of 2520 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2176 wrote to memory of 2520 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2176 wrote to memory of 2520 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2176 wrote to memory of 2520 2176 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2520 wrote to memory of 2064 2520 cmd.exe timeout.exe PID 2520 wrote to memory of 2064 2520 cmd.exe timeout.exe PID 2520 wrote to memory of 2064 2520 cmd.exe timeout.exe PID 2520 wrote to memory of 2064 2520 cmd.exe timeout.exe PID 2128 wrote to memory of 2384 2128 NingaliNET.exe WerFault.exe PID 2128 wrote to memory of 2384 2128 NingaliNET.exe WerFault.exe PID 2128 wrote to memory of 2384 2128 NingaliNET.exe WerFault.exe PID 2128 wrote to memory of 2384 2128 NingaliNET.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe"C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe"C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 7323⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.batFilesize
221B
MD577ab9076e2d81a6f6c59c0f14f8e2509
SHA1d1d036271ccbfe3354a99aba0689a3345d1eea82
SHA25690f097dac23f30ffdcd3e680703511d5467fc2e19be8045759ec45c52e959214
SHA5127a8978ffbd5313a06d1ab1700f4916e5a54f1fa8d709d221292bf6d21f8f48225ed6959b9d93f05c02a5c62f87a502d6810babfb195d3860d83851f097e05b6b
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exeFilesize
54KB
MD50f01571a3e4c71eb4313175aae86488e
SHA12ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA2568cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794
-
\Users\Admin\AppData\Local\Temp\NingaliNET.exeFilesize
1.4MB
MD5eeda9e3dba1a866465f817af9e7c8212
SHA1b78966eb20fdd1c9b4c22c409b2bb9a9a071d680
SHA256f656b5b6736911a787fc4f3374ff247cfbcb277c7c2945c9c5c462354fea968c
SHA5127a7b008b23d1164cfb851c1dc5aa8545b1a76764c331c41cb7de18647f103ac99b138dd7fad20823c90362e17efa043b5517aa8ba11cb5cf836423ace430eccc
-
memory/2128-44-0x0000000000A70000-0x0000000000BE6000-memory.dmpFilesize
1.5MB
-
memory/2128-55-0x0000000071ABE000-0x0000000071ABF000-memory.dmpFilesize
4KB
-
memory/2128-14-0x0000000071ABE000-0x0000000071ABF000-memory.dmpFilesize
4KB
-
memory/2176-1-0x0000000074DD0000-0x000000007537B000-memory.dmpFilesize
5.7MB
-
memory/2176-2-0x0000000074DD0000-0x000000007537B000-memory.dmpFilesize
5.7MB
-
memory/2176-54-0x0000000074DD0000-0x000000007537B000-memory.dmpFilesize
5.7MB
-
memory/2176-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmpFilesize
4KB
-
memory/2928-27-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-29-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-43-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-28-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-26-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-48-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-47-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-45-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-24-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-23-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-21-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2928-32-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-41-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-20-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2928-56-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB