General
-
Target
darkmoon_v2.zip
-
Size
8.2MB
-
Sample
240602-spp86agd23
-
MD5
07dc8aa034636515b0da7475b6cc7ce8
-
SHA1
e746ec81711fc8039ecc2dada0f25df64bd7d9e4
-
SHA256
2a6a28e5ec050a9039d62bf2cd0075df7324ebb9e3c9130ca417c8381796445e
-
SHA512
7af7fafc74f4b268da8b2764c396da8e6f25de7ac746c407409a3e2f981f55dc78f82b2055ea32fdb5a0f4c9582982808c525dd692a9fc398ec38608390f8116
-
SSDEEP
196608:qHvvZPGmaJoKPfZCXh0YYyhVSXj8XN7rWtioPVOaYNC7Tn:qPNGmgfUxbXNWTPVLYsTn
Static task
static1
Behavioral task
behavioral1
Sample
darkmoon v2/lib/AyBYMBjlvU.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
darkmoon v2/lib/AyBYMBjlvU.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
darkmoon v2/lib/DarkMoon_Gen.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
darkmoon v2/start.bat
Resource
win7-20240220-en
Behavioral task
behavioral5
Sample
darkmoon v2/start.bat
Resource
win10v2004-20240426-en
Malware Config
Extracted
quasar
1.0.0.0
v2.2.6 | SeroXen
seroooooxeen.chickenkiller.com:5059
f953c0af-702a-46b5-ad07-d900b11c5cd9
-
encryption_key
458790DC6E62EEB3043B4566BF95CDAF711F1EC0
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Targets
-
-
Target
darkmoon v2/lib/AyBYMBjlvU.bat
-
Size
12.6MB
-
MD5
8e3d8ed6db7cb979d5d56c8b847cc965
-
SHA1
5d1ad752a988ce13da601448cdca5584610cffee
-
SHA256
9d0b440b61b239bc3406d67bf7ae8baf1ceef65923e8558ce3a3c1a3c4a5e22a
-
SHA512
d7a96420b1e61c4bc7db6c533704771e329239629201dbf34ac8a95a931da92c6e1d7ddb694a491656246b0eb491e96d194b7abccf54ef757c1aea92a9b96a0e
-
SSDEEP
49152:Hq8mcjsXbvlusR48pNIN/I/EiFTPbYWLP17DFNkKuri3NSbkpXYyr7arOR150kFB:o
Score10/10-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
darkmoon v2/lib/DarkMoon_Gen.exe
-
Size
340KB
-
MD5
f3c021dbce0cd670f15415c3aa6b83aa
-
SHA1
433842e6529c6df685da1317bfd69d2ea0c85cca
-
SHA256
c147148fa809e238efc3e60b2ed129a93f11694b31d194f7347ddfbb6b82ba20
-
SHA512
5690f12b45819cf28dfc350d3e362f172f1f589b9614b639f995e1bb56ea8fcb87b3058323998f33dd3637b48f00d596c63866cfde7172a3ac664fac110a6f66
-
SSDEEP
3072:eahKyd2n3175Ctbq6rw3VScvNSAh8CndDOMrt1nW:eahOql+UcsMra
Score6/10-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
darkmoon v2/start.bat
-
Size
82B
-
MD5
e6ede72374e4f7b8b907d4099c76f4d4
-
SHA1
146899cf959ada383b0a258b06da7963ef0d1c70
-
SHA256
c07fbd6c49d83eb8399435f9972551d2c73a29e5914a25640639191d187dd80d
-
SHA512
1b2d0cd4a5deae331ed16f383831f4ff7ba1c5b7f6906a35354dfd420ca44f17e3469157f2327685a6aa9773175425aa145faa2d4866030d131334eb36426fcc
Score10/10-
Quasar payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-