Overview

overview

10

Static

static

10

xcgb.exe

windows7_x64

10

xcgb.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe.zip

  • Size

    343KB

  • Sample

    210626-rzl37wz3as

  • MD5

    a6a9bda5e3b1306010c80443e4e21786

  • SHA1

    ff6faf3d2dc091a2806f311b5828cb48ee9c56b8

  • SHA256

    07bb3b2e7cf89aba283ffd7af3daba65b50fcd620a25fb945cc85e7d64b9094b

  • SHA512

    61789a5011e009aefe89a17d165edf85637a9466306a7c509f700844f8b3884356dd86f1ca15f1f97c68bc2754625490de32f126f41eb9562b3be6b43eb937d2

Score
10/10
darkcometevasionpersistencerattrojan

Malware Config

Targets

    • Target

      xcgb.exe

    • Size

      745KB

    • MD5

      c0e4f49d4ea30fe8e04fdba223b44f24

    • SHA1

      42d85163e18f35fd435b5f96a0bce10b8336b440

    • SHA256

      230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe

    • SHA512

      127923ce8310070ef1083b66f92ad5b7faeabb29f2540554fd833e6132d85478f55415344127760f04fe44a7ef8a0acd243d1dec5279510567a4a64777911abc

    Score
    10/10
    darkcometevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks