General

  • Target

    c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d

  • Size

    2.5MB

  • Sample

    210921-kdkwasghb4

  • MD5

    f257a4e79645b6727ac8cd48c80cb3ce

  • SHA1

    e4e775ea5cbca89c0f1c362066fcd0042351fdce

  • SHA256

    c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d

  • SHA512

    c6e31654f6be3348401ab6b56ce16430fb16d462d0b186508cf5fd69842ff1132240368eec27d00271a6cabc8500619db428d23f5da474c925345a63416c800b

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-FLMDWNQ

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    G9QPn0wrb19b

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d

    • Size

      2.5MB

    • MD5

      f257a4e79645b6727ac8cd48c80cb3ce

    • SHA1

      e4e775ea5cbca89c0f1c362066fcd0042351fdce

    • SHA256

      c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d

    • SHA512

      c6e31654f6be3348401ab6b56ce16430fb16d462d0b186508cf5fd69842ff1132240368eec27d00271a6cabc8500619db428d23f5da474c925345a63416c800b

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks