Overview

overview

10

Static

static

3

NingaliNET...or.dll

windows7-x64

1

NingaliNET...or.dll

windows10-2004-x64

1

NingaliNET...ib.dll

windows7-x64

1

NingaliNET...ib.dll

windows10-2004-x64

1

NingaliNET...il.dll

windows7-x64

1

NingaliNET...il.dll

windows10-2004-x64

1

NingaliNET...m].exe

windows7-x64

10

NingaliNET...m].exe

windows10-2004-x64

10

NingaliNET...l].exe

windows7-x64

1

NingaliNET...l].exe

windows10-2004-x64

1

NingaliNET...er.exe

windows7-x64

1

NingaliNET...er.exe

windows10-2004-x64

1

NingaliNET...er.exe

windows7-x64

1

NingaliNET...er.exe

windows10-2004-x64

1

NingaliNET...nt.exe

windows7-x64

1

NingaliNET...nt.exe

windows10-2004-x64

1

NingaliNET...al.exe

windows7-x64

1

NingaliNET...al.exe

windows10-2004-x64

1

NingaliNET...es.exe

windows7-x64

1

NingaliNET...es.exe

windows10-2004-x64

1

NingaliNET...er.dll

windows7-x64

1

NingaliNET...er.dll

windows10-2004-x64

1

NingaliNET...np.dll

windows7-x64

1

NingaliNET...np.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NingaliNET-RAT 1.0.2.1/NingaliNET 1.0.2.1/NingaliNET Cracked [VersionPremium].exe

  • Size

    2.9MB

  • MD5

    451b1dd1b12dbd70f3cf580deae0696d

  • SHA1

    81024d91d94c302e85455badb21e3a2e4f694eda

  • SHA256

    ade39b5cb7124f165ed933e8e7f45469aebe1bb85cec8aadff7fee8ae99e499e

  • SHA512

    7fc86b44a02d47f6b577d93ff81c0ba7239995b2d4f1e02475d963f593d9d2ac6ab451770ab4a7fefc9d440e33eeff494d6274fab66f4033f97bd0bb9a57d802

  • SSDEEP

    49152:P4+T1crpOB3pVPnBaTOhm5PbQqKpcYeD4K2CqFXBSLlTJcGXDlp/yBFwvP:xT1crpY5zWOEB4qYeSCq2Ll93YFq

Score
10/10
darkcometa1clientrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

A1Client

C2

subdomain-dns.duckdns.org:3725

Mutex

DC_MUTEX-9WL5KMH

Attributes
  • gencode

    F7b2NJbuPvt9

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe
    "C:\Users\Admin\AppData\Local\Temp\NingaliNET-RAT 1.0.2.1\NingaliNET 1.0.2.1\NingaliNET Cracked [VersionPremium].exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe
      "C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe"
      2⤵
      • Executes dropped EXE
      PID:3976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1200
        3⤵
        • Program crash
        PID:3576
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe" /f
        3⤵
          PID:4232
      • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
        "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3564
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 300
          3⤵
          • Delays execution with timeout.exe
          PID:4908
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1760
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3976 -ip 3976
        1⤵
          PID:3888

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AdobeAAMUpdater-1.0\dllhost.exe.bat
          Filesize

          221B

          MD5

          77ab9076e2d81a6f6c59c0f14f8e2509

          SHA1

          d1d036271ccbfe3354a99aba0689a3345d1eea82

          SHA256

          90f097dac23f30ffdcd3e680703511d5467fc2e19be8045759ec45c52e959214

          SHA512

          7a8978ffbd5313a06d1ab1700f4916e5a54f1fa8d709d221292bf6d21f8f48225ed6959b9d93f05c02a5c62f87a502d6810babfb195d3860d83851f097e05b6b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\NingaliNET.exe
          Filesize

          1.4MB

          MD5

          eeda9e3dba1a866465f817af9e7c8212

          SHA1

          b78966eb20fdd1c9b4c22c409b2bb9a9a071d680

          SHA256

          f656b5b6736911a787fc4f3374ff247cfbcb277c7c2945c9c5c462354fea968c

          SHA512

          7a7b008b23d1164cfb851c1dc5aa8545b1a76764c331c41cb7de18647f103ac99b138dd7fad20823c90362e17efa043b5517aa8ba11cb5cf836423ace430eccc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
          Filesize

          57KB

          MD5

          454501a66ad6e85175a6757573d79f8b

          SHA1

          8ca96c61f26a640a5b1b1152d055260b9d43e308

          SHA256

          7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

          SHA512

          9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

          Download Submit
        • memory/2888-36-0x0000000000400000-0x00000000004B1000-memory.dmp
          Filesize

          708KB

          Download
        • memory/2888-34-0x0000000000400000-0x00000000004B1000-memory.dmp
          Filesize

          708KB

          Download
        • memory/2888-37-0x0000000000400000-0x00000000004B1000-memory.dmp
          Filesize

          708KB

          Download
        • memory/2888-32-0x0000000000400000-0x00000000004B1000-memory.dmp
          Filesize

          708KB

          Download
        • memory/2888-29-0x0000000000400000-0x00000000004B1000-memory.dmp
          Filesize

          708KB

          Download
        • memory/2888-26-0x0000000000400000-0x00000000004B1000-memory.dmp
          Filesize

          708KB

          Download
        • memory/2960-0-0x00000000749B2000-0x00000000749B3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2960-2-0x00000000749B0000-0x0000000074F61000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2960-3-0x00000000749B2000-0x00000000749B3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2960-4-0x00000000749B0000-0x0000000074F61000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2960-1-0x00000000749B0000-0x0000000074F61000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2960-5-0x00000000749B0000-0x0000000074F61000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2960-43-0x00000000749B0000-0x0000000074F61000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/3976-38-0x0000000000450000-0x00000000005C6000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3976-41-0x0000000005260000-0x00000000052F2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3976-40-0x0000000005810000-0x0000000005DB4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3976-39-0x0000000005120000-0x00000000051BC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3976-23-0x0000000071A4E000-0x0000000071A4F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3976-44-0x0000000005100000-0x000000000510A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3976-45-0x0000000005300000-0x0000000005356000-memory.dmp
          Filesize

          344KB

          Download