Overview

overview

10

Static

static

5

5943effc53...d0.exe

windows7_x64

10

5943effc53...d0.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0

  • Size

    3.5MB

  • Sample

    201106-w6a845aftj

  • MD5

    1d1d1d3bbd32a651a4d3a5f7921d85f2

  • SHA1

    cabc5f91a11bda3a0b25b477093d7e7204b0c056

  • SHA256

    5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0

  • SHA512

    40c4f55e07e6a8df507408fdd7443883fecd767d77ea57a0475e517050bcb2a31ba961d207b67d38ff64b673ff949822f734a8a3bfc1cfa13197769ad92a959a

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

console-wifi.ddns.net:1604

Mutex

DC_MUTEX-8VGGSVK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    ifCVVYKKmA7g

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0

    • Size

      3.5MB

    • MD5

      1d1d1d3bbd32a651a4d3a5f7921d85f2

    • SHA1

      cabc5f91a11bda3a0b25b477093d7e7204b0c056

    • SHA256

      5943effc5341ed40e50e71b719d370031f4938d68f806204564ee4c71f2a68d0

    • SHA512

      40c4f55e07e6a8df507408fdd7443883fecd767d77ea57a0475e517050bcb2a31ba961d207b67d38ff64b673ff949822f734a8a3bfc1cfa13197769ad92a959a

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks