Overview

overview

10

Static

static

10

fbd78d1035...3c.exe

windows7_x64

10

fbd78d1035...3c.exe

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fbd78d103581e7d9a8298347fcb87cdb3176eb7538f027da928487ed0cc47e3c

  • Size

    1.8MB

  • Sample

    220524-tn6p7ahbd9

  • MD5

    f4d912030fe9d04e7bfe339b6f4924f8

  • SHA1

    1e160913f92776ae15b2fb1ab813017c8142bb6f

  • SHA256

    fbd78d103581e7d9a8298347fcb87cdb3176eb7538f027da928487ed0cc47e3c

  • SHA512

    fe6aabef7d75917a4ac794a731ca2b6192c85d5063d2e6f2ea735d2d25db62c1671edc46b9c427af2d030f0c865c8f488cb41bfc55f01dd10eb31e9a5f49c00d

Score
10/10
darkcometsazandiscoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

ak47pr0fessi.duckdns.org:1604

Mutex

DC_MUTEX-KHNPN9J

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    GHG77GpMyW6R

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      fbd78d103581e7d9a8298347fcb87cdb3176eb7538f027da928487ed0cc47e3c

    • Size

      1.8MB

    • MD5

      f4d912030fe9d04e7bfe339b6f4924f8

    • SHA1

      1e160913f92776ae15b2fb1ab813017c8142bb6f

    • SHA256

      fbd78d103581e7d9a8298347fcb87cdb3176eb7538f027da928487ed0cc47e3c

    • SHA512

      fe6aabef7d75917a4ac794a731ca2b6192c85d5063d2e6f2ea735d2d25db62c1671edc46b9c427af2d030f0c865c8f488cb41bfc55f01dd10eb31e9a5f49c00d

    Score
    10/10
    darkcometdiscoveryevasionpersistenceratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Registers COM server for autorun

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Hidden Files and Directories

2
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks