Overview
overview
10Static
static
3NingaliNET...or.dll
windows7-x64
1NingaliNET...or.dll
windows10-2004-x64
1NingaliNET...ib.dll
windows7-x64
1NingaliNET...ib.dll
windows10-2004-x64
1NingaliNET...il.dll
windows7-x64
1NingaliNET...il.dll
windows10-2004-x64
1NingaliNET...m].exe
windows7-x64
10NingaliNET...m].exe
windows10-2004-x64
10NingaliNET...l].exe
windows7-x64
1NingaliNET...l].exe
windows10-2004-x64
1NingaliNET...er.exe
windows7-x64
1NingaliNET...er.exe
windows10-2004-x64
1NingaliNET...er.exe
windows7-x64
1NingaliNET...er.exe
windows10-2004-x64
1NingaliNET...nt.exe
windows7-x64
1NingaliNET...nt.exe
windows10-2004-x64
1NingaliNET...al.exe
windows7-x64
1NingaliNET...al.exe
windows10-2004-x64
1NingaliNET...es.exe
windows7-x64
1NingaliNET...es.exe
windows10-2004-x64
1NingaliNET...er.dll
windows7-x64
1NingaliNET...er.dll
windows10-2004-x64
1NingaliNET...np.dll
windows7-x64
1NingaliNET...np.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:06
Static task
static1
Behavioral task
behavioral1
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/IconInjector.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/IconInjector.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Interop.NATUPNPLib.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Interop.NATUPNPLib.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Mono.Cecil.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Mono.Cecil.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET [Original].exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET [Original].exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Filebinder.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Filebinder.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Server.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/Server.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlentrypoint.exe
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlentrypoint.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlnormal.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Plugins/dlnormal.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Res/res.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/Res/res.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/SocketServer.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/SocketServer.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/upnp.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/upnp.dll
Resource
win10v2004-20240426-en
General
-
Target
NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe
-
Size
2.9MB
-
MD5
451b1dd1b12dbd70f3cf580deae0696d
-
SHA1
81024d91d94c302e85455badb21e3a2e4f694eda
-
SHA256
ade39b5cb7124f165ed933e8e7f45469aebe1bb85cec8aadff7fee8ae99e499e
-
SHA512
7fc86b44a02d47f6b577d93ff81c0ba7239995b2d4f1e02475d963f593d9d2ac6ab451770ab4a7fefc9d440e33eeff494d6274fab66f4033f97bd0bb9a57d802
-
SSDEEP
49152:P4+T1crpOB3pVPnBaTOhm5PbQqKpcYeD4K2CqFXBSLlTJcGXDlp/yBFwvP:xT1crpY5zWOEB4qYeSCq2Ll93YFq
Malware Config
Extracted
darkcomet
A1Client
subdomain-dns.duckdns.org:3725
DC_MUTEX-9WL5KMH
-
gencode
F7b2NJbuPvt9
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NingaliNET Cracked [VersionPremium].exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation NingaliNET Cracked [VersionPremium].exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
NingaliNET.exedllhost.exepid process 3976 NingaliNET.exe 2888 dllhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exedescription ioc process File created C:\Windows\assembly\Desktop.ini NingaliNET Cracked [VersionPremium].exe File opened for modification C:\Windows\assembly\Desktop.ini NingaliNET Cracked [VersionPremium].exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exedescription pid process target process PID 2960 set thread context of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini NingaliNET Cracked [VersionPremium].exe File opened for modification C:\Windows\assembly NingaliNET Cracked [VersionPremium].exe File created C:\Windows\assembly\Desktop.ini NingaliNET Cracked [VersionPremium].exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3576 3976 WerFault.exe NingaliNET.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4908 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exepid process 2960 NingaliNET Cracked [VersionPremium].exe 2960 NingaliNET Cracked [VersionPremium].exe 2960 NingaliNET Cracked [VersionPremium].exe 2960 NingaliNET Cracked [VersionPremium].exe 2960 NingaliNET Cracked [VersionPremium].exe 2960 NingaliNET Cracked [VersionPremium].exe 2960 NingaliNET Cracked [VersionPremium].exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
NingaliNET Cracked [VersionPremium].exedllhost.exedescription pid process Token: SeDebugPrivilege 2960 NingaliNET Cracked [VersionPremium].exe Token: SeIncreaseQuotaPrivilege 2888 dllhost.exe Token: SeSecurityPrivilege 2888 dllhost.exe Token: SeTakeOwnershipPrivilege 2888 dllhost.exe Token: SeLoadDriverPrivilege 2888 dllhost.exe Token: SeSystemProfilePrivilege 2888 dllhost.exe Token: SeSystemtimePrivilege 2888 dllhost.exe Token: SeProfSingleProcessPrivilege 2888 dllhost.exe Token: SeIncBasePriorityPrivilege 2888 dllhost.exe Token: SeCreatePagefilePrivilege 2888 dllhost.exe Token: SeBackupPrivilege 2888 dllhost.exe Token: SeRestorePrivilege 2888 dllhost.exe Token: SeShutdownPrivilege 2888 dllhost.exe Token: SeDebugPrivilege 2888 dllhost.exe Token: SeSystemEnvironmentPrivilege 2888 dllhost.exe Token: SeChangeNotifyPrivilege 2888 dllhost.exe Token: SeRemoteShutdownPrivilege 2888 dllhost.exe Token: SeUndockPrivilege 2888 dllhost.exe Token: SeManageVolumePrivilege 2888 dllhost.exe Token: SeImpersonatePrivilege 2888 dllhost.exe Token: SeCreateGlobalPrivilege 2888 dllhost.exe Token: 33 2888 dllhost.exe Token: 34 2888 dllhost.exe Token: 35 2888 dllhost.exe Token: 36 2888 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dllhost.exepid process 2888 dllhost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
NingaliNET Cracked [VersionPremium].execmd.execmd.exedescription pid process target process PID 2960 wrote to memory of 3976 2960 NingaliNET Cracked [VersionPremium].exe NingaliNET.exe PID 2960 wrote to memory of 3976 2960 NingaliNET Cracked [VersionPremium].exe NingaliNET.exe PID 2960 wrote to memory of 3976 2960 NingaliNET Cracked [VersionPremium].exe NingaliNET.exe PID 2960 wrote to memory of 4348 2960 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2960 wrote to memory of 4348 2960 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2960 wrote to memory of 4348 2960 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 4348 wrote to memory of 4232 4348 cmd.exe reg.exe PID 4348 wrote to memory of 4232 4348 cmd.exe reg.exe PID 4348 wrote to memory of 4232 4348 cmd.exe reg.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 2888 2960 NingaliNET Cracked [VersionPremium].exe dllhost.exe PID 2960 wrote to memory of 3564 2960 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2960 wrote to memory of 3564 2960 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 2960 wrote to memory of 3564 2960 NingaliNET Cracked [VersionPremium].exe cmd.exe PID 3564 wrote to memory of 4908 3564 cmd.exe timeout.exe PID 3564 wrote to memory of 4908 3564 cmd.exe timeout.exe PID 3564 wrote to memory of 4908 3564 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe"C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe"C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 12003⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3976 -ip 39761⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.batFilesize
221B
MD577ab9076e2d81a6f6c59c0f14f8e2509
SHA1d1d036271ccbfe3354a99aba0689a3345d1eea82
SHA25690f097dac23f30ffdcd3e680703511d5467fc2e19be8045759ec45c52e959214
SHA5127a8978ffbd5313a06d1ab1700f4916e5a54f1fa8d709d221292bf6d21f8f48225ed6959b9d93f05c02a5c62f87a502d6810babfb195d3860d83851f097e05b6b
-
C:\Users\Admin\AppData\Local\Temp\NingaliNET.exeFilesize
1.4MB
MD5eeda9e3dba1a866465f817af9e7c8212
SHA1b78966eb20fdd1c9b4c22c409b2bb9a9a071d680
SHA256f656b5b6736911a787fc4f3374ff247cfbcb277c7c2945c9c5c462354fea968c
SHA5127a7b008b23d1164cfb851c1dc5aa8545b1a76764c331c41cb7de18647f103ac99b138dd7fad20823c90362e17efa043b5517aa8ba11cb5cf836423ace430eccc
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exeFilesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
memory/2888-36-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2888-34-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2888-37-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2888-32-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2888-29-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2888-26-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2960-0-0x00000000749B2000-0x00000000749B3000-memory.dmpFilesize
4KB
-
memory/2960-2-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/2960-3-0x00000000749B2000-0x00000000749B3000-memory.dmpFilesize
4KB
-
memory/2960-4-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/2960-1-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/2960-5-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/2960-43-0x00000000749B0000-0x0000000074F61000-memory.dmpFilesize
5.7MB
-
memory/3976-38-0x0000000000450000-0x00000000005C6000-memory.dmpFilesize
1.5MB
-
memory/3976-41-0x0000000005260000-0x00000000052F2000-memory.dmpFilesize
584KB
-
memory/3976-40-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/3976-39-0x0000000005120000-0x00000000051BC000-memory.dmpFilesize
624KB
-
memory/3976-23-0x0000000071A4E000-0x0000000071A4F000-memory.dmpFilesize
4KB
-
memory/3976-44-0x0000000005100000-0x000000000510A000-memory.dmpFilesize
40KB
-
memory/3976-45-0x0000000005300000-0x0000000005356000-memory.dmpFilesize
344KB