Overview

overview

10

Static

static

8

ba44e79fa6...29.exe

windows7_x64

10

ba44e79fa6...29.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ba44e79fa6d4eff102e72b020e38773313169a506fe122299249966c03ff5929

  • Size

    252KB

  • Sample

    201115-evc6tdmtc2

  • MD5

    211a09040d2cb30152089b6510fbb9f1

  • SHA1

    df0098c310c380d37bc196e63b5fed540f64779a

  • SHA256

    ba44e79fa6d4eff102e72b020e38773313169a506fe122299249966c03ff5929

  • SHA512

    f89f11c1140da0798ae447e35055a3d5b948a5815dba9c1bf05b546390d74e1bfb2decf4e3e6c2f8487455e165ec2752c362b45a6ac42b43da04eed9bd35f6ff

Score
10/10
darkcometguest16persistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ximer2020.ddns.net:1604

Mutex

DC_MUTEX-4U0HFC0

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    aDFqoxfKfrcR

  • install

    true

  • offline_keylogger

    true

  • password

    82121020202222

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      ba44e79fa6d4eff102e72b020e38773313169a506fe122299249966c03ff5929

    • Size

      252KB

    • MD5

      211a09040d2cb30152089b6510fbb9f1

    • SHA1

      df0098c310c380d37bc196e63b5fed540f64779a

    • SHA256

      ba44e79fa6d4eff102e72b020e38773313169a506fe122299249966c03ff5929

    • SHA512

      f89f11c1140da0798ae447e35055a3d5b948a5815dba9c1bf05b546390d74e1bfb2decf4e3e6c2f8487455e165ec2752c362b45a6ac42b43da04eed9bd35f6ff

    Score
    10/10
    darkcometguest16persistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks