Overview

overview

10

Static

static

10

lab_02_win...5b.exe

windows7_x64

8

lab_02_win...5b.exe

windows10_x64

8

lab_02_win...82.exe

windows7_x64

8

lab_02_win...82.exe

windows10_x64

8

lab_02_win...63.exe

windows7_x64

10

lab_02_win...63.exe

windows10_x64

10

lab_02_win...15.exe

windows7_x64

8

lab_02_win...15.exe

windows10_x64

8

lab_02_win...c7.exe

windows7_x64

8

lab_02_win...c7.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lab_02_win10x64.zip

  • Size

    1.4MB

  • Sample

    210625-mbd6hp68wx

  • MD5

    016372049572bd04a23e50f131217627

  • SHA1

    2b1276f7efcb94798d39e0913bb5ed63f1e8b720

  • SHA256

    3d445366066d1c084f489995e476abe8e1204fa1918468868c4f90cabd2e5817

  • SHA512

    fb139ec75a88edc271f974f6612ec176bcdb360e1e073fa288d550612d2c4a0a9c3993afc24c65146ca8c051655d03cc7e86d774e14ce72722206dc39df93e1d

Score
10/10
darkcometguest16evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

test213.no-ip.info:1604

Mutex

DC_MUTEX-KHNEW06

Attributes
  • InstallPath

    MSDCSC\runddl32.exe

  • gencode

    F6FE8i2BxCpu

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      lab_02_win10x64/1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b.exe

    • Size

      766KB

    • MD5

      405dba47e2b03f53db2101444e6a925c

    • SHA1

      ed769ff77f46730a9b58a111c52f9e498ec00838

    • SHA256

      1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b

    • SHA512

      3628944242f0b9d80204dfddcea4189ee7f703ba4498c6a818c83d570d97477ec1273270fef65e993cb0f6bed2d0c915cd3d68a5b35375e257a3879f4859c869

    Score
    8/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      lab_02_win10x64/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe

    • Size

      87KB

    • MD5

      a579d53a1d29684de6d2c0cbabd525c5

    • SHA1

      17661a04b4b150a6f70afdabe3fd9839cc56bee8

    • SHA256

      6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82

    • SHA512

      a98456792d7f7c83d0fe6be3ce6c48a4630a073b456848e0c8f614efe292a24fcf8d879ead5f2b418e5e29f46ae9356691383ba57e6066c5cacc0d47e675f817

    Score
    8/10
    persistence

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      lab_02_win10x64/6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe

    • Size

      658KB

    • MD5

      f6351da84168d40fae8da0c156fbab0f

    • SHA1

      1a2283c85bc5c655f5f2f77f27ec3a9412e8db7e

    • SHA256

      6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363

    • SHA512

      9948e83f004bb6d0edf14626660365e469dec444128e820f82066e73177f5de109d048fe226a9cbe95cfc6a99a9d4c501ab3f3900aa2e3677434f03d52694607

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      lab_02_win10x64/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

    • Size

      312KB

    • MD5

      3c1228d714eeda8f94ebbcdb1d75a284

    • SHA1

      1728dfe3e2378b6c88e859e6af79c32b612aefc6

    • SHA256

      a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215

    • SHA512

      b3b6e81b9588fbbf42a96e4ce71e7428b52dd9b59a01ac934e63f1bce309609f507ae6f827c776a3eedc0afe45521466c4ddb76b851476fc774c8e3edcf713e4

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      lab_02_win10x64/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

    • Size

      659KB

    • MD5

      b3dc48d13f7d541fa583bf964c0603bf

    • SHA1

      1dbaa68adc0a592508f7ad715bfcdf79c17990d6

    • SHA256

      b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

    • SHA512

      193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral9behavioral10

MITRE ATT&CK Enterprise v6

Tasks