General
-
Target
lab_02_win10x64.zip
-
Size
1.4MB
-
Sample
210625-cq4tb9vnan
-
MD5
016372049572bd04a23e50f131217627
-
SHA1
2b1276f7efcb94798d39e0913bb5ed63f1e8b720
-
SHA256
3d445366066d1c084f489995e476abe8e1204fa1918468868c4f90cabd2e5817
-
SHA512
fb139ec75a88edc271f974f6612ec176bcdb360e1e073fa288d550612d2c4a0a9c3993afc24c65146ca8c051655d03cc7e86d774e14ce72722206dc39df93e1d
Malware Config
Extracted
darkcomet
Guest16
test213.no-ip.info:1604
DC_MUTEX-KHNEW06
-
InstallPath
MSDCSC\runddl32.exe
-
gencode
F6FE8i2BxCpu
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
lab_02_win10x64/1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b.exe
-
Size
766KB
-
MD5
405dba47e2b03f53db2101444e6a925c
-
SHA1
ed769ff77f46730a9b58a111c52f9e498ec00838
-
SHA256
1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b
-
SHA512
3628944242f0b9d80204dfddcea4189ee7f703ba4498c6a818c83d570d97477ec1273270fef65e993cb0f6bed2d0c915cd3d68a5b35375e257a3879f4859c869
Score8/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
lab_02_win10x64/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe
-
Size
87KB
-
MD5
a579d53a1d29684de6d2c0cbabd525c5
-
SHA1
17661a04b4b150a6f70afdabe3fd9839cc56bee8
-
SHA256
6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82
-
SHA512
a98456792d7f7c83d0fe6be3ce6c48a4630a073b456848e0c8f614efe292a24fcf8d879ead5f2b418e5e29f46ae9356691383ba57e6066c5cacc0d47e675f817
Score8/10-
Blocklisted process makes network request
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
-
-
Target
lab_02_win10x64/6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe
-
Size
658KB
-
MD5
f6351da84168d40fae8da0c156fbab0f
-
SHA1
1a2283c85bc5c655f5f2f77f27ec3a9412e8db7e
-
SHA256
6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363
-
SHA512
9948e83f004bb6d0edf14626660365e469dec444128e820f82066e73177f5de109d048fe226a9cbe95cfc6a99a9d4c501ab3f3900aa2e3677434f03d52694607
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
lab_02_win10x64/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
-
Size
312KB
-
MD5
3c1228d714eeda8f94ebbcdb1d75a284
-
SHA1
1728dfe3e2378b6c88e859e6af79c32b612aefc6
-
SHA256
a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215
-
SHA512
b3b6e81b9588fbbf42a96e4ce71e7428b52dd9b59a01ac934e63f1bce309609f507ae6f827c776a3eedc0afe45521466c4ddb76b851476fc774c8e3edcf713e4
Score8/10-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
lab_02_win10x64/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe
-
Size
659KB
-
MD5
b3dc48d13f7d541fa583bf964c0603bf
-
SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6
-
SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7
-
SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-