Overview

overview

10

Static

static

10

0e46620acc...c8.exe

windows7-x64

10

0e46620acc...c8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0e46620accda5f83e27f33d66def025dc0c96a61b979fac5ec2918e4af2344c8

  • Size

    658KB

  • Sample

    221001-3mwchacbc3

  • MD5

    744135e764e456390a04d6d4dc98b93a

  • SHA1

    19634366d2723aade5a2c27bfa6ba938efee5088

  • SHA256

    0e46620accda5f83e27f33d66def025dc0c96a61b979fac5ec2918e4af2344c8

  • SHA512

    93bfbeaa32400b2a0fe202ad436f98225554361c749f70acf252343d7a6e3955359a2d8fca1b1c2893e2c9ab59b5abb06139204280b4bcbd55bbc806c72c0404

  • SSDEEP

    12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hT:qZ1xuVVjfFoynPaVBUR8f+kN10EBl

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

idontrat.no-ip.org:1956

idontrat.no-ip.org:1789
Mutex

DC_MUTEX-YXTU8QP

Attributes
  • InstallPath

    MSDCSC\svchost.exe

  • gencode

    vHjVHcPX7aEf

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    svchost

Targets

    • Target

      0e46620accda5f83e27f33d66def025dc0c96a61b979fac5ec2918e4af2344c8

    • Size

      658KB

    • MD5

      744135e764e456390a04d6d4dc98b93a

    • SHA1

      19634366d2723aade5a2c27bfa6ba938efee5088

    • SHA256

      0e46620accda5f83e27f33d66def025dc0c96a61b979fac5ec2918e4af2344c8

    • SHA512

      93bfbeaa32400b2a0fe202ad436f98225554361c749f70acf252343d7a6e3955359a2d8fca1b1c2893e2c9ab59b5abb06139204280b4bcbd55bbc806c72c0404

    • SSDEEP

      12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hT:qZ1xuVVjfFoynPaVBUR8f+kN10EBl

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks