-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathDarkKomet
37 lines (31 loc) · 1.53 KB
/
DarkKomet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
MD5: 51927f923d06e3219f61615b9526a663
SHA-1: 50686b94761d1a850b3b563fdd14a226d767f0a6
SHA-256: 437f3ab18f1886045732f150fddaa23db1e97687d4ecb826c7bd128586c19396
Malware: DarkKomet Backdoor
FileName: P4.exe
Found: http://46.17.43.250:8081/
IP: 46.17.43.250
Country: Russia
ASN: AS51659
ASN Name: LLC Baxet
INTERNALS
=========
Replicated/Spread via Removable USB Drives
DLL Sideloading, Hijack Execution Flow, Boot Upon Logon Start
Keylogging, Screen Capture, Clipboard Data
Used Ingress tool for Data Transfer from C2
Encoded: Base64, XOR
Generate random numbers using the Delphi LCG
PE Resource Children: PrintNotifyPotato.exe
Packed by BobSoft Mini Delphi, commonly used to evade malware classification by static and dynamic analysis tools
Presence of Turkish Language detected in the Contained Resources
================================================================
6337744af29ef05448693f358ecca2ebaf50c1e5727984b3ded297eaad620656
482d9673cfee5de391f97fde4d1c84f9f8d6f2cf0784fcffb958b4032de7236c
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2: Malicious
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15: Malicious
a14e70ed824f3f17d3a51136aa08839954d6d3ccadaa067415c7bfc08e6636b0: Contacted Files are Malicious, Trickbot also observed
85f6fa8b937925722f2daca9091fbbfbabe54189e016fd51ecc79e2d941ad045
Submitted to:
https://www.virustotal.com/gui/file/437f3ab18f1886045732f150fddaa23db1e97687d4ecb826c7bd128586c19396/detection
https://bazaar.abuse.ch/sample/437f3ab18f1886045732f150fddaa23db1e97687d4ecb826c7bd128586c19396/