Overview

overview

10

Static

static

10

Bitcoin-Ad...ig.exe

windows11-21h2-x64

10

Bitcoin-Ad...ty.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip.tar.gz

  • Size

    12.9MB

  • Sample

    241128-wjtk6s1jbk

  • MD5

    ac7dceb4a85cb4250ac1268f8a3d7481

  • SHA1

    fdc57ca604746204049368a5d23e6c2893590d42

  • SHA256

    38a22130997f3fd2afd7d0773735c729eca349ad93455866ad02543109f4329a

  • SHA512

    912cf8aaa594e0838d332fd5d67c1b212887adffcaf765911dda048e23c7e57d4531cb3395cf57f9be6e12c79402863c21af605dfabee854c0dd3e2e435533fd

  • SSDEEP

    196608:6Gy8SAdVkkiPx5yAPpl0AOIy/w4n2uMhrM0yEtWoGcUKJvbdS8VylZhBqhcDy:6Gy8LXBIRo6u6rM0LgkUKJzdSLnhkN

Score
10/10
asyncratdarkcometdefaultguest16discoveryevasionpersistencerattrojanupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

192.168.101.7:6606

192.168.101.7:7707

192.168.101.7:8808

192.168.101.7:1111

192.168.101.7:2222

192.168.101.7:3333

192.168.101.7:4444

192.168.101.7:5555

192.168.101.7:6666

192.168.101.7:7777

192.168.101.7:8888

192.168.101.7:9999
Mutex

H6EV9c34IZEW

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.101.7:1604

192.168.101.7:1605

192.168.101.7:1606

192.168.101.7:1607

192.168.101.7:1608

192.168.101.7:1609

192.168.101.7:1610

192.168.101.7:1611

192.168.101.7:1612

192.168.101.7:1613

192.168.101.7:1614

192.168.101.7:1615

192.168.101.7:1616

192.168.101.7:1617

192.168.101.7:1618

192.168.101.7:1619

192.168.101.7:1620

192.168.101.7:1621

192.168.101.7:1622

192.168.101.7:1623
Mutex

DC_MUTEX-J7WY70H

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    a7kB2AAlrgH4

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/bitcoinaddresutility.config.exe

    • Size

      224KB

    • MD5

      790076ebdb5da5c4b73bdffbd71ba57e

    • SHA1

      a4e0a4aafe30d3035bacda771587bb268d82c671

    • SHA256

      3f18dfdc6a76b0a69097611b9756070ffae79fcc8dc462df2592ef25b415335e

    • SHA512

      f850b38877f8d9c3285a66f4d69a105b5148e65b59b43d1de34e95ba0b03ac1f6e909401adb5b2493d03e832ff3f01205e3b598d3fc9c687ce38b8f720288421

    • SSDEEP

      3072:Ru3ZTd4+2nlm0wybQ73JHiq1gXyO/8ucsE92VJZ/x:Ru3QLn1wybyHikgXy5b8VJX

    Score
    10/10
    asyncratdefaultdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral1

    • Target

      Bitcoin-Address-Utility-main/Bitcoin-Address-Utility-main/bitcoin address utility/setup-Btc Address Utility.exe

    • Size

      252KB

    • MD5

      117c00cf711decc4e925c7ad12e2ca23

    • SHA1

      b1821d002502ae4e77345c259e643807a4d42a34

    • SHA256

      531cf2a20d45777f796656c0c1a1d00971bfc8a23485d9bd6a7b7e9beb5c00aa

    • SHA512

      4e9d56d70cbcaf8a8d1340cb958fa544eabd37f30db0bd101525a90997d9a8311829983c4d7cdf24f0fffa3c01ecb98522caee966198c06bec4d54dd5eeb2f25

    • SSDEEP

      6144:ycNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:ycW7KEZlPzCy37

    Score
    10/10
    darkcometguest16discoveryevasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

7
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks