General

  • Target

    Order Requirement 3411.exe

  • Size

    3.1MB

  • Sample

    210109-7ka3xb2gc6

  • MD5

    78d1cabb867eb5b30ccab20ae79f1760

  • SHA1

    5958963ab0b43905a2d1654f6f2afa944e633186

  • SHA256

    78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6

  • SHA512

    43291cc257c3939fe671e270294ce210d959f78b9b4bfb042d6ab96950111e886310d0bdcf244deaad002f6003129d994262a9ba1db46cd5d0b9b62ed5d967db

Malware Config

Extracted

Family

darkcomet

Botnet

JANuary 2021

C2

chrisle79.ddns.net:3317

jacknop79.ddns.net:3317

smath79.ddns.net:3317

whatis79.ddns.net:3317

goodgt79.ddns.net:3317

bonding79.ddns.net:3317

Mutex

DC_MUTEX-X1VW1F7

Attributes
  • gencode

    U35l73tWGu8y

  • install

    false

  • offline_keylogger

    true

  • password

    Password20$

  • persistence

    false

Targets

    • Target

      Order Requirement 3411.exe

    • Size

      3.1MB

    • MD5

      78d1cabb867eb5b30ccab20ae79f1760

    • SHA1

      5958963ab0b43905a2d1654f6f2afa944e633186

    • SHA256

      78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6

    • SHA512

      43291cc257c3939fe671e270294ce210d959f78b9b4bfb042d6ab96950111e886310d0bdcf244deaad002f6003129d994262a9ba1db46cd5d0b9b62ed5d967db

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Tasks