General
Target

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78

Size

283KB

Sample

220420-ta9vpagcf7

Score
10/10
MD5

6bf6d7d7e70cd737716b614f9008417b

SHA1

0c1996ccb192acd5ead43954cc984480fb18d910

SHA256

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78

SHA512

6999c3f15f7b1c7231990f24c4dbae31ca9fb4faeddc337edfb5e6644f588ddcc103875d2746b7e3852bded61e8024cf2e5b41c1aef0ce05d5ba711c74474d33

Malware Config

Extracted

Family

darkcomet

Botnet

1

C2

192.168.0.5:81

192.168.0.5:1604

ilyakon213.hopto.org:1604

ilyakon213.hopto.org:81

Attributes
InstallPath
system.exe
gencode
YFrPALvfbSE1
install
true
offline_keylogger
true
persistence
true
reg_key
system
Targets
Target

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78

MD5

6bf6d7d7e70cd737716b614f9008417b

Filesize

283KB

Score
10/10
SHA1

0c1996ccb192acd5ead43954cc984480fb18d910

SHA256

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78

SHA512

6999c3f15f7b1c7231990f24c4dbae31ca9fb4faeddc337edfb5e6644f588ddcc103875d2746b7e3852bded61e8024cf2e5b41c1aef0ce05d5ba711c74474d33

Tags

Signatures

  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLLModify Registry
  • Executes dropped EXE

  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    10/10

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    10/10