General
-
Target
2a9bf696f1af170e0e1b5ede752a1578.exe
-
Size
4.1MB
-
Sample
240609-h9s6fagc72
-
MD5
2a9bf696f1af170e0e1b5ede752a1578
-
SHA1
96b9f6c7398fc9c0cc44534dfabe08f0583baf3a
-
SHA256
d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f
-
SHA512
8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d
-
SSDEEP
98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd
Static task
static1
Behavioral task
behavioral1
Sample
2a9bf696f1af170e0e1b5ede752a1578.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2a9bf696f1af170e0e1b5ede752a1578.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
darkcomet
2024+June111-newcrt
dgorijan20785.hopto.org:35800
DC_MUTEX-TF0M80E
-
gencode
FStELhsGExZX
-
install
false
-
offline_keylogger
false
-
password
hhhhhh
-
persistence
false
Extracted
asyncrat
0.5.6A
dgorijan20785.hopto.org:6606
dgorijan20785.hopto.org:7707
dgorijan20785.hopto.org:8808
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
v5tvc5rc5ex77777
-
delay
5
-
install
true
-
install_file
audiodvs.exe
-
install_folder
%AppData%
Extracted
darkcomet
2024+June1-newcrt
dgorijan20785.hopto.org:35800
DC_MUTEX-62B5ZW6
-
InstallPath
word.exe
-
gencode
T8Q4ENhuqy1g
-
install
true
-
offline_keylogger
false
-
password
hhhhhh
-
persistence
true
-
reg_key
word
Extracted
babylonrat
dgorijan20785.hopto.org
Extracted
xenorat
dgorijan20785.hopto.org
win_sv88778sl
-
delay
5000
-
install_path
temp
-
port
4488
-
startup_name
logons
Extracted
darkcomet
New-July-July4-02
dgorijan20785.hopto.org:35800
DC_MUTEX-JFYU2BC
-
gencode
UkVkDi2EZxxn
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
warzonerat
dgorijan20785.hopto.org:5199
45.74.4.244:5199
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Targets
-
-
Target
2a9bf696f1af170e0e1b5ede752a1578.exe
-
Size
4.1MB
-
MD5
2a9bf696f1af170e0e1b5ede752a1578
-
SHA1
96b9f6c7398fc9c0cc44534dfabe08f0583baf3a
-
SHA256
d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f
-
SHA512
8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d
-
SSDEEP
98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd
-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1