Overview

overview

10

Static

static

ec06c4752f...5e.exe

windows7_x64

10

ec06c4752f...5e.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ec06c4752f4ae2a0beae7f59c5ae891617891237bc3737aac96e7d20a8ebf65e

  • Size

    1.8MB

  • Sample

    201109-3cl9r52jd2

  • MD5

    a56044b0c60de9b761a2c3b2707972f0

  • SHA1

    1e33c1f77a16d7c1448b0134b8f0524b82cc872a

  • SHA256

    ec06c4752f4ae2a0beae7f59c5ae891617891237bc3737aac96e7d20a8ebf65e

  • SHA512

    21921479eb76d14c46482159a18c8ff735d115f1ad55ff5c9db92a0c1577839bec576933d5bbd673264706207576d8e93da1470d55e8945acead1e847ade9bb4

Score
10/10
darkcometvbstedevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

vbsted

C2

forshared.ddns.net:6722

Mutex

DC_MUTEX-6UPV0L8

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    kWdnrSvNCdV5

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      ec06c4752f4ae2a0beae7f59c5ae891617891237bc3737aac96e7d20a8ebf65e

    • Size

      1.8MB

    • MD5

      a56044b0c60de9b761a2c3b2707972f0

    • SHA1

      1e33c1f77a16d7c1448b0134b8f0524b82cc872a

    • SHA256

      ec06c4752f4ae2a0beae7f59c5ae891617891237bc3737aac96e7d20a8ebf65e

    • SHA512

      21921479eb76d14c46482159a18c8ff735d115f1ad55ff5c9db92a0c1577839bec576933d5bbd673264706207576d8e93da1470d55e8945acead1e847ade9bb4

    Score
    10/10
    darkcometvbstedevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks