92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

General
Target

92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

Size

254KB

Sample

220521-xyzleacge9

Score
10 /10
MD5

175f2d9aebc4ac568a483a86af5e2188

SHA1

1883c73576b01e32c59643f00730906058795175

SHA256

92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

SHA512

c1801bccb90550511c23524f01278232bed5e03a6e65b01c5d90d683830083d155a035efe1e5c6b64268f594d64b0d0a064a4eb2e5ec1b0fa9f53f517395ee15

Malware Config

Extracted

Family darkcomet
Botnet People
C2

radeiaor111.hopto.org:1604

Attributes
InstallPath
app\update.exe
gencode
JRjs4z5EKcwD
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate
Targets
Target

92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

MD5

175f2d9aebc4ac568a483a86af5e2188

Filesize

254KB

Score
10/10
SHA1

1883c73576b01e32c59643f00730906058795175

SHA256

92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

SHA512

c1801bccb90550511c23524f01278232bed5e03a6e65b01c5d90d683830083d155a035efe1e5c6b64268f594d64b0d0a064a4eb2e5ec1b0fa9f53f517395ee15

Tags

Signatures

  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLLModify Registry
  • Modifies security service

    Tags

    TTPs

    Modify RegistryModify Existing Service
  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Disables RegEdit via registry modification

    Tags

  • Executes dropped EXE

  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Loads dropped DLL

  • Windows security modification

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation