· 6 years ago · Oct 14, 2019, 03:30 AM
1
2* ID: 5007
3* MalFamily: "Darkcomet"
4
5* MalScore: 10.0
6
7* File Name: "Exes_5af20697de884de920959c39da07d4bb.exe"
8* File Size: 1571840
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "e23707d9b397a9387cff793cb8345f17a2ac132ed14b4c05debf44f09c02252e"
11* MD5: "5af20697de884de920959c39da07d4bb"
12* SHA1: "32ea6efed71548800068b1065631c544f46300fa"
13* SHA512: "969ac5c2e1acd05a02f6d06becc41b367dc01fcfc3c0aafdf02c88e659fbc33d4d9ea4ce378a272f4f425c11edf34a200107dbfd07713be15d539a9c789a8562"
14* CRC32: "ADFBE998"
15* SSDEEP: "24576:qtb20pkaCqT5TBWgNQ7ajv4oHbEOwyLz00GTTo2gMqVpIfMuMc8Sq0rAz6A:XVg5tQ7ajnHbEOL0JTTfNQ+0FSE5"
16
17* Process Execution:
18 "otlJjj6XKF.exe",
19 "cmd.exe",
20 "1fl.exe",
21 "iexplore.exe",
22 "iexplore.exe",
23 "cmd.exe",
24 "FdB4C5Z.exe",
25 "javaupdate.exe",
26 "svchost.exe",
27 "EXCEL.EXE",
28 "WmiPrvSE.exe",
29 "svchost.exe",
30 "WMIADAP.exe"
31
32
33* Executed Commands:
34 "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\1fl.exe",
35 "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.exe",
36 "\"C:\\Program Files (x86)\\Microsoft Office\\Office15\\EXCEL.EXE\" /automation -Embedding",
37 "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
38 "C:\\Users\\user\\AppData\\Roaming\\1fl.exe",
39 "C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.exe",
40 "\"C:\\Windows\\system32\\OracleJava\\javaupdate.exe\"",
41 "C:\\Windows\\System32\\OracleJava\\javaupdate.exe ",
42 "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R"
43
44
45* Signatures Detected:
46
47 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
48 "Details":
49
50
51 "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
52 "Details":
53
54 "IP_ioc": "193.84.64.159:1604 (Romania)"
55
56
57
58
59 "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
60 "Details":
61
62 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\1fl.exe"
63
64
65 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.exe"
66
67
68
69
70 "Description": "Possible date expiration check, exits too soon after checking local time",
71 "Details":
72
73 "process": "1fl.exe, PID 1920"
74
75
76
77
78 "Description": "Guard pages use detected - possible anti-debugging.",
79 "Details":
80
81
82 "Description": "Performs HTTP requests potentially not found in PCAP.",
83 "Details":
84
85 "url_ioc": "fyzee.top:80//exes/header.php"
86
87
88 "url_ioc": "fyzee.top:80//exes/header.php"
89
90
91
92
93 "Description": "Expresses interest in specific running processes",
94 "Details":
95
96 "process": "mscorsvw.exe"
97
98
99 "process": "armsvc.exe"
100
101
102
103
104 "Description": "A process created a hidden window",
105 "Details":
106
107 "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
108
109
110
111
112 "Description": "The binary likely contains encrypted or compressed data.",
113 "Details":
114
115 "section": "name: .rsrc, entropy: 7.97, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000b6c00, virtual_size: 0x000b6b74"
116
117
118
119
120 "Description": "Uses Windows utilities for basic functionality",
121 "Details":
122
123 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\1fl.exe"
124
125
126 "command": "C:\\Windows\\system32\\cmd.exe /C C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.exe"
127
128
129
130
131 "Description": "Sniffs keystrokes",
132 "Details":
133
134 "SetWindowsHookExA": "Process: javaupdate.exe(2740)"
135
136
137
138
139 "Description": "Behavioural detection: Injection (inter-process)",
140 "Details":
141
142
143 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
144 "Details":
145
146
147 "Description": "A potential decoy document was displayed to the user",
148 "Details":
149
150 "Decoy Document": "\"c:\\program files (x86)\\microsoft office\\office15\\excel.exe\" /automation -embedding"
151
152
153
154
155 "Description": "Installs itself for autorun at Windows startup",
156 "Details":
157
158 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DarkComet RAT"
159
160
161 "data": "C:\\Windows\\system32\\OracleJava\\javaupdate.exe"
162
163
164 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\31cf0c43-757e-44f8-b976-51e5fc09ee92"
165
166
167 "data": "C:\\Users\\user\\AppData\\Roaming\\vibae\\vibae.exe"
168
169
170 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\31cf0c43-757e-44f8-b976-51e5fc09ee92"
171
172
173 "data": "C:\\Users\\user\\AppData\\Roaming\\vibae\\vibae.exe"
174
175
176 "key": "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\31cf0c43-757e-44f8-b976-51e5fc09ee92"
177
178
179 "data": "C:\\Users\\user\\AppData\\Roaming\\vibae\\vibae.exe"
180
181
182 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit"
183
184
185 "data": "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\OracleJava\\javaupdate.exe"
186
187
188
189
190 "Description": "Stack pivoting was detected when using a critical API",
191 "Details":
192
193 "process": "svchost.exe:204"
194
195
196
197
198 "Description": "CAPE detected the DarkComet malware family",
199 "Details":
200
201
202 "Description": "File has been identified by 47 Antiviruses on VirusTotal as malicious",
203 "Details":
204
205 "MicroWorld-eScan": "Trojan.Generic.15301154"
206
207
208 "CAT-QuickHeal": "TrojanPWS.Dexter"
209
210
211 "McAfee": "Artemis!5AF20697DE88"
212
213
214 "Cylance": "Unsafe"
215
216
217 "K7GW": "Trojan ( 004c3d061 )"
218
219
220 "K7AntiVirus": "Trojan ( 004c3d061 )"
221
222
223 "Arcabit": "Trojan.Generic.DE97A22"
224
225
226 "Invincea": "heuristic"
227
228
229 "Baidu": "Win32.Trojan.WisdomEyes.16070401.9500.9840"
230
231
232 "NANO-Antivirus": "Trojan.Win32.Androm.engksd"
233
234
235 "Cyren": "W32/Trojan.AGYS-7606"
236
237
238 "Symantec": "ML.Attribute.HighConfidence"
239
240
241 "TrendMicro-HouseCall": "TROJ_GEN.R002H0CGN18"
242
243
244 "Avast": "Win32:Malware-gen"
245
246
247 "Kaspersky": "Backdoor.Win32.Androm.mvww"
248
249
250 "BitDefender": "Trojan.Generic.15301154"
251
252
253 "Paloalto": "generic.ml"
254
255
256 "AegisLab": "Trojan.Win32.Androm.m!c"
257
258
259 "Ad-Aware": "Trojan.Generic.15301154"
260
261
262 "Emsisoft": "Trojan.Generic.15301154 (B)"
263
264
265 "Comodo": ".UnclassifiedMalware"
266
267
268 "F-Secure": "Trojan.Generic.15301154"
269
270
271 "VIPRE": "Trojan.Win32.Generic!BT"
272
273
274 "McAfee-GW-Edition": "BehavesLike.Win32.Generic.tc"
275
276
277 "Sophos": "Mal/Generic-S"
278
279
280 "SentinelOne": "static engine - malicious"
281
282
283 "Webroot": "Trojan.Dropper.Gen"
284
285
286 "Avira": "DR/AutoIt.Gen"
287
288
289 "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
290
291
292 "Microsoft": "PWS:Win32/Dexter.A"
293
294
295 "Endgame": "malicious (moderate confidence)"
296
297
298 "ZoneAlarm": "Backdoor.Win32.Androm.mvww"
299
300
301 "GData": "Trojan.Generic.15301154"
302
303
304 "AhnLab-V3": "Malware/Win32.Generic.C1901186"
305
306
307 "ALYac": "Trojan.Generic.15301154"
308
309
310 "AVware": "Trojan.Win32.Generic!BT"
311
312
313 "MAX": "malware (ai score=99)"
314
315
316 "VBA32": "Trojan.Autoit.Injcrypt"
317
318
319 "ESET-NOD32": "Win32/TrojanDropper.Autoit.JO"
320
321
322 "Tencent": "Win32.Backdoor.Androm.Tafi"
323
324
325 "Ikarus": "Trojan-Dropper.Win32.Autoit"
326
327
328 "Fortinet": "W32/AutoIt.JO!tr"
329
330
331 "AVG": "Win32:Malware-gen"
332
333
334 "Cybereason": "malicious.7de884"
335
336
337 "Panda": "Trj/CI.A"
338
339
340 "CrowdStrike": "malicious_confidence_100% (D)"
341
342
343 "Qihoo-360": "HEUR/QVM10.1.Malware.Gen"
344
345
346
347
348 "Description": "Attempts to modify browser security settings",
349 "Details":
350
351
352 "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
353 "Details":
354
355 "dropped": "clamav:Win.Trojan.DarkKomet-1, sha256:0a927d02404630982f7b797dd08657034f80ea8619519726b2cb53c9172af2a3 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.cod*C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.exe*C:\\Windows\\System32\\OracleJava\\javaupdate.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
356
357
358
359
360 "Description": "Interacts with known DarkComet registry keys",
361 "Details":
362
363 "Key": "HKEY_CURRENT_USER\\Software\\DC3_FEXEC"
364
365
366 "Key": "HKEY_CURRENT_USER\\Software\\DC3_FEXEC\\3d3783a0-703a-11de-8c7a-806e6f6e6963-3250959951"
367
368
369 "Key": "HKEY_CURRENT_USER\\Software\\DC2_USERS"
370
371
372
373
374 "Description": "Drops a binary and executes it",
375 "Details":
376
377 "binary": "C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.exe"
378
379
380 "binary": "C:\\Users\\user\\AppData\\Roaming\\1fl.exe"
381
382
383
384
385 "Description": "Created network traffic indicative of malicious activity",
386 "Details":
387
388 "signature": "ET DNS Query to a *.top domain - Likely Hostile"
389
390
391
392
393
394* Started Service:
395
396* Mutexes:
397 "Local\\10MU_ACBPIDS_S-1-5-5-0-118397",
398 "Local\\10MU_ACB10_S-1-5-5-0-118397",
399 "Global\\552FFA80-3393-423d-8671-7BA046BB5906",
400 "CicLoadWinStaWinSta0",
401 "Local\\MSCTF.CtfMonitorInstMutexDefault1",
402 "Global\\MsoShellExtRegAccess_S-1-5-21-0000000000-0000000000-0000000000-1000",
403 "WindowsRemoteResilienceJavaOracleServiceMutex",
404 "DCMIN_MUTEX-SZWH1ZD",
405 "Global\\ADAP_WMI_ENTRY",
406 "Global\\RefreshRA_Mutex",
407 "Global\\RefreshRA_Mutex_Lib",
408 "Global\\RefreshRA_Mutex_Flag"
409
410
411* Modified Files:
412 "C:\\Users\\user\\AppData\\Local\\Temp\\aut415F.tmp",
413 "C:\\Users\\user\\AppData\\Roaming\\1fl.mpeg",
414 "C:\\Users\\user\\AppData\\Local\\Temp\\aut418F.tmp",
415 "C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.ze",
416 "C:\\Users\\user\\AppData\\Roaming\\1fl.jpg",
417 "C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.cod",
418 "C:\\Users\\user\\AppData\\Roaming\\1fl.exe",
419 "C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.exe",
420 "C:\\Users\\user\\AppData\\Local\\Temp\\CVR3151.tmp.cvr",
421 "C:\\Windows\\System32\\OracleJava\\javaupdate.exe",
422 "C:\\Users\\user\\AppData\\Roaming\\vibae\\vibae.exe",
423 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
424 "\\??\\PIPE\\samr",
425 "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
426 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
427 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
428 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
429 "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
430 "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
431 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER"
432
433
434* Deleted Files:
435 "C:\\Users\\user\\AppData\\Local\\Temp\\aut415F.tmp",
436 "C:\\Users\\user\\AppData\\Local\\Temp\\aut418F.tmp",
437 "C:\\Users\\user\\AppData\\Roaming\\1fl.jpg",
438 "C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.cod",
439 "C:\\Users\\user\\AppData\\Roaming\\1fl.mpeg",
440 "C:\\Users\\user\\AppData\\Roaming\\FdB4C5Z.ze",
441 "C:\\Users\\user\\AppData\\Local\\Temp\\CVR3151.tmp",
442 "C:\\Users\\user\\AppData\\Local\\Temp\\CVR3151.tmp.cvr",
443 "C:\\Users\\user\\AppData\\Roaming\\1fl.exe"
444
445
446* Modified Registry Keys:
447 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\EXCELFiles",
448 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Resiliency\\StartupItems",
449 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Resiliency\\StartupItems\\q(`",
450 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\ProductFiles",
451 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\LanguageResources\\EnabledLanguages\\1033",
452 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Migration\\Excel",
453 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTT",
454 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Feedback\\AppUsageData_2",
455 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\FontInfoCache",
456 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options",
457 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options\\Options5",
458 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options\\OptionFormat",
459 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Options\\Pos",
460 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTF",
461 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTA",
462 "HKEY_CURRENT_USER\\Software\\DC3_FEXEC",
463 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DarkComet RAT",
464 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit",
465 "HKEY_CURRENT_USER\\Software\\Resilience Software",
466 "HKEY_CURRENT_USER\\Software\\Resilience Software\\Digit",
467 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\31cf0c43-757e-44f8-b976-51e5fc09ee92",
468 "HKEY_USERS\\.DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\31cf0c43-757e-44f8-b976-51e5fc09ee92",
469 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\31cf0c43-757e-44f8-b976-51e5fc09ee92",
470 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",
471 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\LowRiskFileTypes",
472 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
473 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
474 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
475 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
476 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
477 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
478 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
479 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
480 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
481 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
482
483
484* Deleted Registry Keys:
485 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\Resiliency\\StartupItems\\q(`",
486 "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Excel\\MTTT"
487
488
489* DNS Communications:
490
491 "type": "A",
492 "request": "fyzee.top",
493 "answers":
494
495
496
497* Domains:
498
499 "ip": "",
500 "domain": "fyzee.top"
501
502
503
504* Network Communication - ICMP:
505
506* Network Communication - HTTP:
507
508* Network Communication - SMTP:
509
510* Network Communication - Hosts:
511
512 "country_name": "Romania",
513 "ip": "193.84.64.159",
514 "inaddrarpa": "",
515 "hostname": ""
516
517
518
519* Network Communication - IRC: