Overview

overview

10

Static

static

10

Crypted.exe

windows7-x64

10

Crypted.exe

windows10-2004-x64

10

HELL-96SQH...4H.exe

windows7-x64

3

HELL-96SQH...4H.exe

windows10-2004-x64

3

Payload.exe

windows7-x64

10

Payload.exe

windows10-2004-x64

10

Skype.exe

windows7-x64

10

Skype.exe

windows10-2004-x64

10

SpotifyGenerator.exe

windows7-x64

10

SpotifyGenerator.exe

windows10-2004-x64

10

calculate.exe

windows7-x64

3

calculate.exe

windows10-2004-x64

3

services.exe

windows7-x64

10

services.exe

windows10-2004-x64

10

xray.exe

windows7-x64

10

xray.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    exebomb.zip

  • Size

    1.1MB

  • Sample

    241205-qvenhaspfj

  • MD5

    bb664a3a77772836032da72a2c990ee8

  • SHA1

    9cd55742edab48b3635e27ed388def80d3a724d5

  • SHA256

    30c6dca8d7298ad8b76d2b4fb29ba10778537df7552e5aeafaad63ffa7287807

  • SHA512

    6662be34b999d63f7e00b4d643ee3323163afefd54431f1d2426940ace3737e4e7118ce86ceb0300a9b02ac52a87044e66827cc5ddb0ed02a24d8217fd7df1c9

  • SSDEEP

    24576:xC7nBACGnldUSyU7IMzH8z8vqFodFsD35vVwz:xC7BA7nrUSNDqadGDpV0

Score
10/10
asyncratdarkcometnjratvenomratxwormdefaultguest16sazanvictimdiscoveryevasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

eu-west-36307.packetriot.net:22281

Mutex

6480365a57ae304293b6250c39f9b34b

Attributes
  • reg_key

    6480365a57ae304293b6250c39f9b34b

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

xworm

C2

127.0.0.1:7521

chf35s6.localto.net:7521
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    System.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

uygpiyt.localto.net:1604

uygpiyt.localto.net:1843
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

ximlxhkxkljothcwg

Attributes
  • c2_url_file

    https://paste.tc/raw/x-88152-88

  • delay

    1

  • install

    false

  • install_file

    services

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.122:1604

Mutex

DC_MUTEX-20997BK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    LEeu9F65GHcF

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

Mutex

DC_MUTEX-1ESBB3Q

Attributes
  • gencode

    KdZ2b3vZaGVw

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      Crypted.exe

    • Size

      332KB

    • MD5

      39981a721a6542fb36dc05b3fc20c274

    • SHA1

      74698ff07ef58b8ef23dda2ed91971d4ced3e1d4

    • SHA256

      fd88ebaedaaa336bf48f9e8c21a084c5dc6870c27ff76f62d3ea5526205fa9cd

    • SHA512

      1c3ee4a6a68b4d8d7db0a4eccaa34120d8be7b9b8df87d4af681f51805f5bbacd567b96eb1662d50ad9d454656e864b13af5aaf96151dd8743c9b05fc80a966b

    • SSDEEP

      6144:XsD4sSMNNVAOdeW4pVFK4U5sldnKLceof2VRD/Y7vV9ulo1du9uLJyD2:8E9821/VFVqslNKL94o5Y7vVIaTW2

    Score
    10/10
    darkcometsazandiscoveryrattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe

    • Size

      123KB

    • MD5

      868183a0f26683d1d6655a8519b626ba

    • SHA1

      1e646f5cdf2ac3b9692e4cd9c1bbdd9ab523395e

    • SHA256

      8bfbcf2d850c68a7ed6b023faa9062a2189e4e1ed8915351f3b97dbde0d5e528

    • SHA512

      1836a4cb23521d4bd5794eee20e8fdd6e8311ea743f6b9440c4d7f6e5c5501b65aea51f4a01cb40ac28b4a143e02fd8adf50493cfe4124ac0027490afd87597b

    • SSDEEP

      3072:bwMp0TrEZirUcqAOEZirUcqAkEZirUcqAD:bwMp+4Zg1Zg/Zg

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Payload.exe

    • Size

      55KB

    • MD5

      411b64acfcc7f07971c630aa8d229dfa

    • SHA1

      f8e02349ff1be29dfa98dc45a38077289670c1a6

    • SHA256

      c5f77db7ad369d1ace046583b196f763465cd0692ffea635b8c036ba3ecda1bb

    • SHA512

      63ec93dc64157e25a87346c9a7469be8ac367c099328525e4e6db70f7c696590d6fa46e9bf9dd3ef5c6ee60352f22390437cf1c17f537e6e4ca9f1ad9bf5d72e

    • SSDEEP

      768:8mPpUKt1ManMr3Z2NaDyBmH3UekSNemwFvfu0YMDHPs4L7XJSxI3pmhm:8my4DnFNaDyByfDzwsNMD7XExI3pmhm

    Score
    10/10
    njratvictimdiscoverypersistencetrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      Skype.exe

    • Size

      74KB

    • MD5

      ab7fe54a2dff556af9d0f6524169f305

    • SHA1

      cfd61fb50874d48900f8a058f2f2500aa4caafeb

    • SHA256

      1947f33f50a76eb1093d5bdbc01979f086dbe1f3e9b8501afc4547ed14ea8b5c

    • SHA512

      e7b054fa38fdce9283dcd2fa8f9e8d0cfae813825a6626582aeb089d53e2fe9bb50a18c145d938006f88b2d87e936600db24ba41d480eb49e8a31b26ada6be8c

    • SSDEEP

      1536:A6hZ2mK295bW4yZWalfT/T+bFXQMRYYPp6+B+ORSH5DWoYd2E:AK995qrZT+bNQzSBB+ORSZDWozE

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

    • Target

      SpotifyGenerator.exe

    • Size

      47KB

    • MD5

      b0bea0e74c6022eb15797f3a0d983d3e

    • SHA1

      d74156db340aa6531eeddbd56b9661a71b2d27d9

    • SHA256

      f03aa9a082ef9a099dd59e8ba4a956bd48153f834dbe9c1bb8df4af914751d9a

    • SHA512

      fa061c98014f16a1686906c80a9154accac34276e596c373a4810aa6d73286805d99da42025a89b866ced01be5391e960a36827069909c888b3d5ff235886c39

    • SSDEEP

      768:7u/6ZTgoiziWUUd9rmo2qrXll40Qfj6Q2MKKWT88kTm2dbWv8GWp2kwoeH4tcDZ:7u/6ZTglB2S4f6Q29T888XbWv8T2EeHO

    Score
    10/10
    asyncratdefaultdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat
    behavioral10behavioral9

    • Target

      calculate.exe

    • Size

      553KB

    • MD5

      d02dd96450aad4137ddbe1c0c15b476b

    • SHA1

      a0b84b677835a7e26cde0bba06635b9c0759df3e

    • SHA256

      a756c75518fea32b684dbf6b57151e45596eaae4f08f767792d7b5c5eb249750

    • SHA512

      9452f79bffb194c9424f8706d0d759a49ea18520fb911f2f8bb1c76baa6f8199fde78035840a3fbb752b3fb1e889f821e0ac3859270d4ee8eec5f94061a5d1c7

    • SSDEEP

      12288:QPDnfAuCL5CZ7HUqQ5G6QepUn0Kh0UeMb01JQntLOCa1isfAgP:QPDfAN5CpJJ6tGnQUema5As

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      services.exe

    • Size

      74KB

    • MD5

      e7ba2c20ff0d6d894b2e342dfbc682da

    • SHA1

      b459862f4e9a5a8ed260f13682691eb19e8620f8

    • SHA256

      4820832a84cc249be6408727b394f68127af853496b2f3ac5702fa07c98af452

    • SHA512

      a8291c5357a81f40e9a01467788fad6e57b7869e065223a8a5fa4ee8b471d7491dc3c6af069fd6a635cee7b3d7f34a2cf18d9563b80a874c714f765985668c36

    • SSDEEP

      1536:X5UdAcxqXPC/2PMVMwGPoIYH1ba/PGHq1yzQzc2LVclN:pUicxqfs2PMV7GP2H1bau8SQPBY

    Score
    10/10
    asyncratvenomratdefaultdiscoveryrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • VenomRAT

      Detects VenomRAT.

      rat

    • Venomrat family

      venomrat

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral13behavioral14

    • Target

      xray.exe

    • Size

      658KB

    • MD5

      d10c9632d629e612688f4d899adad7ac

    • SHA1

      23b80255a664d7218c388c0e4e4b059c37ea09af

    • SHA256

      8cec15a4d96162345b86b2dc2219f182c194e5860febfbc698cf23eac91dcc72

    • SHA512

      eb4a370049f00ef00296403c3028fcd7f472f34f1d07df02c28512c17ac5b18cbebc02024ad4a0849490cb5c085613fd0640b6a28cf3db4b2623cfca9afb5dec

    • SSDEEP

      12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hj:KZ1xuVVjfFoynPaVBUR8f+kN10EBh

    Score
    10/10
    darkcometguest16discoveryevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

victimratdefaultguest16njratxwormasyncratvenomratdarkcomet
Score
10/10

behavioral1

darkcometsazandiscoveryrattrojanupx
Score
10/10

behavioral2

darkcometsazandiscoveryrattrojanupx
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

njratvictimdiscoverypersistencetrojan
Score
10/10

behavioral6

njratdiscoverypersistencetrojan
Score
10/10

behavioral7

xwormexecutionpersistencerattrojan
Score
10/10

behavioral8

xwormexecutionpersistencerattrojan
Score
10/10

behavioral9

asyncratdefaultdiscoveryrat
Score
10/10

behavioral10

asyncratdefaultdiscoveryrat
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

asyncratvenomratdefaultdiscoveryrat
Score
10/10

behavioral14

asyncratvenomratdefaultdiscoveryrat
Score
10/10

behavioral15

darkcometguest16discoveryevasionpersistencerattrojan
Score
10/10

behavioral16

darkcometguest16discoveryevasionpersistencerattrojan
Score
10/10