General
-
Target
5e95ac29974541f3cf409d7ca483033c991e644b04f8d2dba7c2e08941511a22
-
Size
809KB
-
Sample
250420-x2pklsssh1
-
MD5
07d68d796e9826b00e03351cfd87e3e3
-
SHA1
2cd1f0484b5c798fc29170be9808f43e8b50daf3
-
SHA256
5e95ac29974541f3cf409d7ca483033c991e644b04f8d2dba7c2e08941511a22
-
SHA512
bb83e56d564046f27f36757c207e45a5577142093271d4957ba4d35c18019d02b3630da10d19aad60f0d0f8655223fe9d172b87d50a61b6dbc9b3c881b7db096
-
SSDEEP
24576:V64hcVh/mMmO6HDMNTJBOl0ZRPyMBqooVQn6pMhhQ:Agqh8ljMNHOlyP/oVQ6pUQ
Malware Config
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
nanocore
1.2.2.0
jvjv2044duck33.duckdns.org:54984
2fda0c27-65af-4514-b648-0066e7bbf615
-
activate_away_mode
true
-
backup_connection_host
jvjv2044duck33.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2025-01-27T20:01:11.197098036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2fda0c27-65af-4514-b648-0066e7bbf615
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
jvjv2044duck33.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
darkcomet
Guest16
jvjv2044duck33.duckdns.org:1604
DC_MUTEX-3VMZ2C8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ttgTbZWj82S9
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
asyncrat
0.5.8
Default
jvjv2044duck33.duckdns.org:8808
0fC8zJGwBBNm
-
delay
3
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
Targets
-
-
Target
file.exe
-
Size
1.1MB
-
MD5
b0c07068e6f3b2bb0959a636d4bc8481
-
SHA1
79c420e2a5534ddbc37f5b8cd32a908bc01a293f
-
SHA256
b45efe2ba0a53a59524fd3c8ea6011ee8cf824e22d9e86526ed14c8887915820
-
SHA512
782db1f74f54f73be28a49bdcc98a89e231a07e0d06f6b35f80154d9e918e033f15856b9b39b6d501d88207771e4f3d15f7516961526d6663487d73916e5452f
-
SSDEEP
12288:Z4T4b4tcW7KEZlPzCy37tLV6Btpmkkx6g2UcW7KEZlPzCy37tLV6Btpmkkx6g2:Zm+KKiRzC0lApfkxIgKiRzC0lApfkxI
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Disables Task Manager via registry modification
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
file2.exe
-
Size
968KB
-
MD5
8e8c0b5bf7b262756a59095da213ee90
-
SHA1
e3a84452231879057925e565a2f6592cb8e2ebdd
-
SHA256
047ab1b39a89a4bf9cb51c810dc7a4d62e3f848df566ec9884393c60d0988039
-
SHA512
1bde8ffa4fea4539ff889ce0625eb0caed5250881eb8f56456cc092610550948552ecdff0c3c786df97e592399fc3084c4e0fa798cb916860349fbbe5a5c38db
-
SSDEEP
24576:43Z1xuVVjfFoynPaVBUR8f+kN10EB4gGApfkxI:4pQDgok30JjAL
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Async RAT payload
-
Disables Task Manager via registry modification
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
file3.exe
-
Size
1.0MB
-
MD5
784eb8175f6a13be07633f2deb13a7ef
-
SHA1
a369bf9b6e3dc4af534b0980d88af246ef2a980b
-
SHA256
751b84526549ce5185de83cc3e7baf3e9019ba2bb51160d0a7890b82b2807d5f
-
SHA512
7238874a886682ba108e5bed8e20350038dc24c630717ac52b1e38322fe124f4f9b1c40e6ff50fb94df6108aa371d7a0cf4c76d9e77a05700cde600e989dbd5c
-
SSDEEP
24576:zm+KZ1xuVVjfFoynPaVBUR8f+kN10EB4gGApfkxI:zm+aQDgok30JjAL
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Async RAT payload
-
Disables Task Manager via registry modification
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
file4.exe
-
Size
1.0MB
-
MD5
e08bd789d9f45b08fe924d94b955d869
-
SHA1
25776cfff6c72af601435b4e0e13f0b901f20f6e
-
SHA256
2cc9a71b892bfa00b5b457b391683b6dffde83cbf2360ad7111f2b0a934ddbc0
-
SHA512
bb6cbb399ddc24ed0b5d1ee6f8c2623eb2b15538e3ef742e532a56f6da302be17bf2d1783ab48238f0fa485284850e6ac0b3979adb34f82ea004549ea83faff1
-
SSDEEP
24576:7j+KZ1xuVVjfFoynPaVBUR8f+kN10EBRgGApfkxI:7j+aQDgok30UjAL
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Async RAT payload
-
Disables Task Manager via registry modification
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
file5.exe
-
Size
648KB
-
MD5
38836c26314605862f3ca3bfe0936b46
-
SHA1
b68d2a35b2d9f5083e3b2574ec409c6dbb615fd1
-
SHA256
3e151c518a16e949c618995aa6e38f509ff95f4fcc0f2a84a13a64f310e34e1b
-
SHA512
dc0aecfe210fd1169eea3118ca09de6dcb4e53ad6a7aee25580df1b82b224fa551a4c961756fbf0a415ab77aec2a26867cfd16fe0358bb1024da80b9e7bdc67e
-
SSDEEP
12288:k4u+fpcW7KEZlPzCy37N282g0LV6Btpmkkx6g2:k1+TKiRzC0NqgGApfkxI
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Async RAT payload
-
Disables Task Manager via registry modification
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2