General
-
Target
orbit premium.rar
-
Size
1.2MB
-
Sample
240723-rj254athlk
-
MD5
4f2734db91c53a00df72b5afe9e1def9
-
SHA1
78efee23906fe99bff2a1878569e358ad735ae7f
-
SHA256
6593b87dd50de13bfe02bee82b2a2f0a9842cca830d1db74ae28f4b35abcca88
-
SHA512
4812798caafad81f537d621cdec361f398a578cbe28d72a137630c2b6916b503c4c98173393793f9ba396dc74c39cc3114e5fe0e0b33e6e623993ef96986bb82
-
SSDEEP
24576:oPO4ko61ZHJry7ibIx8O5011XrtC3TnMLtd4AlFnKzW5PO4ko61ZHJONO:oPLwdlxbIx8O5SJrqTOX4gR5PLwd+O
Behavioral task
behavioral1
Sample
orbit premium/CSGhost-v4.3.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
orbit premium/CSGhost-v4.3.0.exe
Resource
win7-20240705-en
Behavioral task
behavioral3
Sample
orbit premium/VacBypass.exe
Resource
win10-20240611-en
Behavioral task
behavioral4
Sample
orbit premium/VacBypass.exe
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
orbit premium/orbiteng.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
orbit premium/orbiteng.dll
Resource
win7-20240704-en
Malware Config
Extracted
darkcomet
Guest16
novadomains.dudckdns.org:8989
www.novadomains.duckdns.org:8989
DC_MUTEX-FQ8MCQ6
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
6AwR7PAURuR2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
orbit premium/CSGhost-v4.3.0.exe
-
Size
650KB
-
MD5
66cb0d373bb2da5caaab6bdac4e28a2a
-
SHA1
7ff393e0c3fa10b5a9784e66a053ff9ef9e50f56
-
SHA256
2c62eff900c082b1d5bb235de81a7fe9b26fc1f62569413add120a78ac94cd87
-
SHA512
f7f49c03a9c2953d93cf2d4253368e865c067ad1babf5ab1b471c7c07411ae95ae692dedc1b4bcd7414097f6f420a1c78750e96d4371954f9fddc579ab24b3de
-
SSDEEP
12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+r:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+G6
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
orbit premium/VacBypass.exe
-
Size
650KB
-
MD5
755dae3e1516c174460a905a3ae600a4
-
SHA1
2ca4fe9f2e41fad399acf300c72ebc9bb3fef3ef
-
SHA256
8761ad02b925a5858fdbcd1b39faf5c6959e3149ebe4620271fd369c620ce2a9
-
SHA512
81565a6b15907f2b934161500cd42c82867dc8655de6e34e9cddbc0d445e5b6848cc3330986f377013ea8eb39bd64a4ea82b232c7086b49eccf68985584c106f
-
SSDEEP
12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+/:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+Ga
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
orbit premium/orbiteng.dll
-
Size
1.5MB
-
MD5
ca150e99884c888fb083fe6cc943b1de
-
SHA1
061ac7c941401c3d3c9ddc212c2cf253183c88af
-
SHA256
9417735b3c94569965bba5e900b43da016a1a51afbe1f2673608555a1aa6ced1
-
SHA512
8a1a7cde171a2215835adee400bba5d3e4b4a6ddd9f6c23b42fe402caf165ea281fd58ded6cd26135e72cf886c29ea32c55b56280cde518000369fbbcbaff51d
-
SSDEEP
24576:yWqeulhybTR4MfZ+ztqZQXWaGa76iWrpGZrU0VcgFgncFs9myr8lWu:yPnhkuwyG0nFgnSs9myYlWu
Score5/10-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4