darkcomet | b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Sharing

Copy URL

Twitter E-mail

General

Target

The-MALWARE-Repo-master.zip
Size

198.8MB
Sample

241024-bses6axhlg
MD5

af60ad5b6cafd14d7ebce530813e68a0
SHA1

ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256

b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA512

81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
SSDEEP

6291456:wNl3aFW2h9/fiTwCzCLS6iilVkLZgAEtknRzq:wDaFd//Orcpi4VkL6AfRG

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes

reg_key
b9584a316aeb9ca9b31edd4db18381f5
splitter
Y262SUCZ4UJJ

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  The-MALWARE-Repo-master/Ransomware/NoMoreRansom.exe
- Size
  
  1.4MB
- MD5
  
  63210f8f1dde6c40a7f3643ccf0ff313
- SHA1
  
  57edd72391d710d71bead504d44389d0462ccec9
- SHA256
  
  2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
- SHA512
  
  87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
- SSDEEP
  
  12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK
Score

10^/10

troldesh defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  The-MALWARE-Repo-master/Ransomware/PowerPoint.exe
- Size
  
  136KB
- MD5
  
  70108103a53123201ceb2e921fcfe83c
- SHA1
  
  c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
- SHA256
  
  9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
- SHA512
  
  996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
- SSDEEP
  
  1536:3VrdxBvcGdDHHtWv8udA1JYREgJ/qEOpsChnU4V1lyqHv4vAmOG9HSDKRppppp5B:1H5D0dSgo7ppTV1lyqPOAmOG9HSOD
Score

7^/10

bootkit discovery persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral3 behavioral4
- Target
  
  The-MALWARE-Repo-master/Ransomware/RedBoot.exe
- Size
  
  1.2MB
- MD5
  
  e0340f456f76993fc047bc715dfdae6a
- SHA1
  
  d47f6f7e553c4bc44a2fe88c2054de901390b2d7
- SHA256
  
  1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
- SHA512
  
  cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
- SSDEEP
  
  24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG
Score

9^/10

bootkit discovery persistence ransomware upx
- Renames multiple (147) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  The-MALWARE-Repo-master/Ransomware/Rensenware.exe
- Size
  
  96KB
- MD5
  
  60335edf459643a87168da8ed74c2b60
- SHA1
  
  61f3e01174a6557f9c0bfc89ae682d37a7e91e2e
- SHA256
  
  7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
- SHA512
  
  b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb
- SSDEEP
  
  3072:kGXc7vE4k8sWJnmiWpJtCkGwJ1ED7qztG:RXD8sWBmiW0wX6Gx
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8
- Target
  
  The-MALWARE-Repo-master/Ransomware/WannaCry.exe
- Size
  
  224KB
- MD5
  
  5c7fb0927db37372da25f270708103a2
- SHA1
  
  120ed9279d85cbfa56e5b7779ffa7162074f7a29
- SHA256
  
  be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
- SHA512
  
  a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
- SSDEEP
  
  3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral10 behavioral9
- Target
  
  The-MALWARE-Repo-master/Ransomware/WannaCrypt0r.exe
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral11 behavioral12
- Target
  
  The-MALWARE-Repo-master/Trojan/Gas.exe
- Size
  
  18KB
- MD5
  
  e7af185503236e623705368a443a17d9
- SHA1
  
  863084d6e7f3ed1ba6cc43f0746445b9ad218474
- SHA256
  
  da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a
- SHA512
  
  8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3
- SSDEEP
  
  192:KtRj6/XFyk9YPdXTH08W8c3LXLtYmEBI9qHVDEV:WV6fFy2Ylz0TiBIw1Dc
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  The-MALWARE-Repo-master/Trojan/LoveYou.exe
- Size
  
  22KB
- MD5
  
  31420227141ade98a5a5228bf8e6a97d
- SHA1
  
  19329845635ebbc5c4026e111650d3ef42ab05ac
- SHA256
  
  1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71
- SHA512
  
  cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7
- SSDEEP
  
  384:o4LBivz/4RHCxN3IBUDzfGWCw2cKgDwg7dEsL9s+cLUoHl:o4LBu74Ro9ImnfGWJ2cKgsgZDW+cLUe
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  The-MALWARE-Repo-master/Trojan/MEMZ.exe
- Size
  
  14KB
- MD5
  
  19dbec50735b5f2a72d4199c4e184960
- SHA1
  
  6fed7732f7cb6f59743795b2ab154a3676f4c822
- SHA256
  
  a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
- SHA512
  
  aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
- SSDEEP
  
  192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Score

6^/10

bootkit discovery persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral17 behavioral18
- Target
  
  The-MALWARE-Repo-master/Trojan/PCToaster.exe
- Size
  
  411KB
- MD5
  
  04251a49a240dbf60975ac262fc6aeb7
- SHA1
  
  e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0
- SHA256
  
  85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
- SHA512
  
  3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2
- SSDEEP
  
  3072:quJFS5Aqu+WwjxeI/0gVnfKl0FA+aPobO24yNz88iu8vDYHTlI5EJD5Hbibfd6PK:/JM0mCsWq1/qpz+nF5c
Score

7^/10

discovery
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral19 behavioral20
- Target
  
  The-MALWARE-Repo-master/Trojan/TaskILL.exe
- Size
  
  31KB
- MD5
  
  c261c6e3332d0d515c910bbf3b93aab3
- SHA1
  
  ff730b6b2726240df4b2f0db96c424c464c65c17
- SHA256
  
  4663715548c70eec7e9cbf272171493d47a75d2652e38cca870412ea9e749fe9
- SHA512
  
  a93bd7b1d809493917e0999d4030cb53ab7789c65f6b87e1bbac27bd8b3ad2aeb92dec0a69369c04541f5572a78f04d8dfba900624cf5bd82d7558f24d0a8e26
- SSDEEP
  
  768:Tyc7/ovNV004AjWU3GQelVUlidf+prtbjzjy1QVIibtYcFOKc6K:Tyc2z0ajWTQelzdGDbjzKQVIi7OKcl
Score

1^/10
behavioral21 behavioral22