darkcomet

General

Target

RNSM00477.7z
Size

22.4MB
Sample

240920-xd894ssapj
MD5

e74213e7f48bbb4fc4fba13f0bfaad96
SHA1

ed97322c26c9f7a028b3c587b5d1aaf656b0f22f
SHA256

f1495ff599ccc310bb271cdb147f212dc55a6964e46fe037268638e32d591988
SHA512

c520dac8d25ef5c0864f81e2573dd049fdf5887cbd601488f633549713696a2ac0dd8b4166531c9a40a40010d01381d13f12e7266a7d3b633422618e3bd6d0e0
SSDEEP

393216:uvQVZl/lgu206A8Vdj0RlYl2g9jQ/kWwjTd4hoSGt/D3rrKAqUpW1Zb3CDDoX25P:KQV/lg506/djICP9jQ/FwtivGJ3r7jpF

Malware Config

Extracted

Family

djvu

C2

http://tbpws.top/fhsgtsspen6/get.php

http://securebiz.org/fhsgtsspen6/get.php

http://wrrst.top/fhsgtsspen6/get.php

Attributes

extension
.wiot
offline_id
sZ9rF572Y03XTlUZsBUVlV9YksFOEsyIfGx58yt1
payload_url
http://securebiz.org/dl/build2.exe

http://tbpws.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CtDpAM1g5f Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0333gSd743d

rsa_pubkey.plain

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

vidar

Version

39.7

Botnet

933

C2

https://shpak125.tumblr.com/

Attributes

profile_id
933

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Targets

- Target
  
  RNSM00477.7z
- Size
  
  22.4MB
- MD5
  
  e74213e7f48bbb4fc4fba13f0bfaad96
- SHA1
  
  ed97322c26c9f7a028b3c587b5d1aaf656b0f22f
- SHA256
  
  f1495ff599ccc310bb271cdb147f212dc55a6964e46fe037268638e32d591988
- SHA512
  
  c520dac8d25ef5c0864f81e2573dd049fdf5887cbd601488f633549713696a2ac0dd8b4166531c9a40a40010d01381d13f12e7266a7d3b633422618e3bd6d0e0
- SSDEEP
  
  393216:uvQVZl/lgu206A8Vdj0RlYl2g9jQ/kWwjTd4hoSGt/D3rrKAqUpW1Zb3CDDoX25P:KQV/lg506/djICP9jQ/FwtivGJ3r7jpF
Score

10^/10

darkcomet dharma djvu nanocore nullmixer urelas vidar vjw0rm 933 aspackv2 defense_evasion discovery dropper evasion execution impact keylogger persistence privilege_escalation ransomware rat spyware stealer trojan upx worm
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Detected Djvu ransomware
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- Modifies WinLogon for persistence
  persistence
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- NullMixer
  NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
  dropper nullmixer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Urelas
  Urelas is a trojan targeting card games.
  trojan urelas
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (329) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Contacts a large (1134) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1