Overview

overview

10

Static

static

1

RNSM00308.7z

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00308.7z

  • Size

    1.7MB

  • Sample

    241113-vwxmxswfmk

  • MD5

    110f2dbedc28666c7d8ccd4bba06d2b8

  • SHA1

    96cbc48fcab1450e18237dc77fd0e7d7e944a77d

  • SHA256

    51db189fed4125f4fb72ac9a078d1a95b9cb43be5c57259ad22a099c0b77d1a4

  • SHA512

    08ac80abb77925dbebc23b57ed4adf995a7a369f1c40d125ef9f73b7ced947343203510b0ad6b34dba20643ce3e13cbcbfbf9404f26b74766420a8b87d8f479c

  • SSDEEP

    49152:bcAdQUY0kuem8NGQM3gR6Wf26YbWNjCUt0p:bLBxTe7GQdXfb9Co4

Score
10/10
darkcometmodiloadernetwireusabotnetdefense_evasiondiscoverypersistenceratstealertrojanupx

Malware Config

Extracted

Family

netwire

C2

178.32.72.136:3361

193.124.0.151:3362
Attributes
  • activex_autorun

    true

  • activex_key

    {0QG8J5X8-8ATR-63E7-Y066-IIX78EN8O68E}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Skype.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    kgTjYgBY

  • offline_keylogger

    true

  • password

    ebefob44

  • registry_autorun

    true

  • startup_name

    TeamViewer

  • use_mutex

    true

Extracted

Family

darkcomet

Botnet

USA

C2

185.142.239.190:5655

Mutex

DC_MUTEX-BHTA0F4

Attributes
  • InstallPath

    MSDC\msdcsc.exe

  • gencode

    URy5L19mbwqc

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      RNSM00308.7z

    • Size

      1.7MB

    • MD5

      110f2dbedc28666c7d8ccd4bba06d2b8

    • SHA1

      96cbc48fcab1450e18237dc77fd0e7d7e944a77d

    • SHA256

      51db189fed4125f4fb72ac9a078d1a95b9cb43be5c57259ad22a099c0b77d1a4

    • SHA512

      08ac80abb77925dbebc23b57ed4adf995a7a369f1c40d125ef9f73b7ced947343203510b0ad6b34dba20643ce3e13cbcbfbf9404f26b74766420a8b87d8f479c

    • SSDEEP

      49152:bcAdQUY0kuem8NGQM3gR6Wf26YbWNjCUt0p:bLBxTe7GQdXfb9Co4

    Score
    10/10
    darkcometmodiloadernetwireusabotnetdefense_evasiondiscoverypersistenceratstealertrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modiloader family

      modiloader

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire

    • ModiLoader Second Stage

    • Adds policy Run key to start application

      persistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks