Overview

overview

10

Static

static

10

844fdc3072...41.exe

windows7_x64

10

844fdc3072...41.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    844fdc307207e49c308561468f99e2255b4c2759370e1c3b13919db926630d41

  • Size

    846KB

  • Sample

    210914-hw9w2afbg2

  • MD5

    54980a2c2e132311d59f1a40dda738d6

  • SHA1

    df9d197eb624843946f49c43bb9d2f91177db165

  • SHA256

    844fdc307207e49c308561468f99e2255b4c2759370e1c3b13919db926630d41

  • SHA512

    e1b6a08c06e07fb59e3964d07d15873b71fa8178b8826bb2a2f428715325c03af47454a516b1d411be64cee3c2a902987cfc9c9f517018d27f0ed6b97fed7d60

Score
10/10
darkcometsazanpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

remcoskullan�m.duckdns.org:80

Mutex

DC_MUTEX-3S6A2GM

Attributes
  • InstallPath

    MSDCSC\minecraft son s�r�m reach.exe

  • gencode

    Qt7RzAMuvyL0

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      844fdc307207e49c308561468f99e2255b4c2759370e1c3b13919db926630d41

    • Size

      846KB

    • MD5

      54980a2c2e132311d59f1a40dda738d6

    • SHA1

      df9d197eb624843946f49c43bb9d2f91177db165

    • SHA256

      844fdc307207e49c308561468f99e2255b4c2759370e1c3b13919db926630d41

    • SHA512

      e1b6a08c06e07fb59e3964d07d15873b71fa8178b8826bb2a2f428715325c03af47454a516b1d411be64cee3c2a902987cfc9c9f517018d27f0ed6b97fed7d60

    Score
    10/10
    darkcometsazanpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks