General

  • Target

    2a9bf696f1af170e0e1b5ede752a1578.exe

  • Size

    4.1MB

  • Sample

    240609-h9s6fagc72

  • MD5

    2a9bf696f1af170e0e1b5ede752a1578

  • SHA1

    96b9f6c7398fc9c0cc44534dfabe08f0583baf3a

  • SHA256

    d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f

  • SHA512

    8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d

  • SSDEEP

    98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd

Malware Config

Extracted

Family

darkcomet

Botnet

2024+June111-newcrt

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-TF0M80E

Attributes
  • gencode

    FStELhsGExZX

  • install

    false

  • offline_keylogger

    false

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

asyncrat

Version

0.5.6A

C2

dgorijan20785.hopto.org:6606

dgorijan20785.hopto.org:7707

dgorijan20785.hopto.org:8808

45.74.4.244:6606

45.74.4.244:7707

45.74.4.244:8808

Mutex

v5tvc5rc5ex77777

Attributes
  • delay

    5

  • install

    true

  • install_file

    audiodvs.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

darkcomet

Botnet

2024+June1-newcrt

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-62B5ZW6

Attributes
  • InstallPath

    word.exe

  • gencode

    T8Q4ENhuqy1g

  • install

    true

  • offline_keylogger

    false

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    word

Extracted

Family

babylonrat

C2

dgorijan20785.hopto.org

Extracted

Family

xenorat

C2

dgorijan20785.hopto.org

Mutex

win_sv88778sl

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4488

  • startup_name

    logons

Extracted

Family

darkcomet

Botnet

New-July-July4-02

C2

dgorijan20785.hopto.org:35800

Mutex

DC_MUTEX-JFYU2BC

Attributes
  • gencode

    UkVkDi2EZxxn

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Extracted

Family

warzonerat

C2

dgorijan20785.hopto.org:5199

45.74.4.244:5199

Extracted

Family

darkcomet

Botnet

New-July-July4-0

C2

45.74.4.244:35800

Mutex

DC_MUTEX-RT27KF0

Attributes
  • gencode

    cKUHbX2GsGhs

  • install

    false

  • offline_keylogger

    true

  • password

    hhhhhh

  • persistence

    false

Targets

    • Target

      2a9bf696f1af170e0e1b5ede752a1578.exe

    • Size

      4.1MB

    • MD5

      2a9bf696f1af170e0e1b5ede752a1578

    • SHA1

      96b9f6c7398fc9c0cc44534dfabe08f0583baf3a

    • SHA256

      d8f0a37788e14306d6f5a6b15417aec0c76d08fd9c788871ad50a9ac7cd6c73f

    • SHA512

      8236468322838e166fe46614dd0f90c576031ef55abfd79b249def9d320bd89b277bf3b7c84bf669480b0504637d1b93b565be5d17eae6065d2418604c25c80d

    • SSDEEP

      98304:alO2xqX9gK/NBJMYpntAecuJ4hLm0amUXzEnk4:a82x3KHJMOAecuJ4hLGmd

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Async RAT payload

    • Warzone RAT payload

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks