Overview

overview

10

Static

static

3

mono crypter.exe

windows7-x64

3

mono crypter.exe

windows10-2004-x64

3

phonex.exe

windows7-x64

3

phonex.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_6d9bd1918b31a3fa429cc3d82377d560

  • Size

    401KB

  • Sample

    250103-stwlqstmdp

  • MD5

    6d9bd1918b31a3fa429cc3d82377d560

  • SHA1

    495114eb4c7c1e04b6013c653bf615158d67b353

  • SHA256

    314855348585bf77c0474f74a5b42bb4976b16f7305a4fed007c612e046f9f43

  • SHA512

    c0682fbae0a9beb32852de87d90299a0779ab44839883eeec65911e9bfb4adbf7e6e8f453768546fc84a69f54785a2a7e476fd662790de8bd3ef9c68c2ffa016

  • SSDEEP

    6144:u0H64mYQHr09wpK+E/JvpAxuOC1RAp9jZ3synApEcML1NXC/lqjQ+NSE5FiAXL:stvpXE/sxu/1QjZziMLTXC9qk+NSE5xL

Score
10/10
darkcometguest16discoveryevasionrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

hawbashmessi.no-ip.org:1604

Mutex

DC_MUTEX-YUH2TWC

Attributes
  • gencode

    wdDMkYoQ5N1p

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      mono crypter.exe

    • Size

      9KB

    • MD5

      62c723973f715675df73fa05cbec054c

    • SHA1

      1263be85fa87b17f54eb919d729dd1b7513b0e3e

    • SHA256

      e7e4c97ceb46bc8b0964ee3979b8358b26de2e545a042b88e729e41574249074

    • SHA512

      e73d38d2a421960d7d8b9ebd8685cf050b25931d2ad9fa25a56653a28bd8ed07e0ef6f0a9143b7f64633bd916ad98fddea1f99654871c4bf999543d6bba475d1

    • SSDEEP

      96:8/L77IOY86NIHUCJgsb1Zap3hxZD8cE2+YlnlYJomLLGL0KfflwVEBiAj1TRXmmU:OL0L0UoZ83tDpVHnlYJ3KLTqVpCwVvI

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      phonex.exe

    • Size

      9KB

    • MD5

      21157c4318cfd772a2d81e76a18205fc

    • SHA1

      b5a62729a394113530ead2c87ac21493933e7686

    • SHA256

      3f0ac34162f3c586de4344115e1f7465deb913d6b718485efc48a91d59f28a8d

    • SHA512

      ed2a76cd16acb7880e90851d954ac46329b093db841bc8bb42fae213ae25da5ffb41d0e0d2ce962f3df76eb42901387c3231bb6d7158067b70ed3707c70bc2e4

    • SSDEEP

      192:LL3AXeUgZ83tDpV4NnlYJ3nLTqVpb3vI:LLTVZ83FpS6XLTcI

    Score
    10/10
    discoverydarkcometguest16evasionrattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks