Overview

overview

10

Static

static

10

bb27aa4832...2e.exe

windows7-x64

10

bb27aa4832...2e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb27aa4832e4828b28ccf07fe3bb073076bf679bf279f3097c25151c2a2bbe2e

  • Size

    806KB

  • Sample

    221001-3mjnpscbb4

  • MD5

    6cce54199e92dde8802f7b25f321d3f0

  • SHA1

    7243ccf1ca7b0fe07da0dd872ee194ac2afb5188

  • SHA256

    bb27aa4832e4828b28ccf07fe3bb073076bf679bf279f3097c25151c2a2bbe2e

  • SHA512

    fbd3f04c7e0f0fa86b062e3a1b8e898a91040771b883791fa8c189a14b4193abe13a94da30f05ad14bee5ea60b938fe81d27e19b20f7f9b20ba7bc6ffd0314f5

  • SSDEEP

    12288:m9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hJy1T2GRe:CZ1xuVVjfFoynPaVBUR8f+kN10EB7yje

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

roger7100.ddnd.net:1604

Mutex

DC_MUTEX-5VFJKB8

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    HrMy41p14z4h

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    System32dll

Targets

    • Target

      bb27aa4832e4828b28ccf07fe3bb073076bf679bf279f3097c25151c2a2bbe2e

    • Size

      806KB

    • MD5

      6cce54199e92dde8802f7b25f321d3f0

    • SHA1

      7243ccf1ca7b0fe07da0dd872ee194ac2afb5188

    • SHA256

      bb27aa4832e4828b28ccf07fe3bb073076bf679bf279f3097c25151c2a2bbe2e

    • SHA512

      fbd3f04c7e0f0fa86b062e3a1b8e898a91040771b883791fa8c189a14b4193abe13a94da30f05ad14bee5ea60b938fe81d27e19b20f7f9b20ba7bc6ffd0314f5

    • SSDEEP

      12288:m9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hJy1T2GRe:CZ1xuVVjfFoynPaVBUR8f+kN10EB7yje

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks