Overview

overview

10

Static

static

e1988357bf...8a.exe

windows7-x64

10

e1988357bf...8a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a

  • Size

    636KB

  • Sample

    221001-zsp6wsgfak

  • MD5

    6aa8b96dc40d343ed01f71a98bc33dd0

  • SHA1

    f3054de583789ae77b90268b89b15842c81da48b

  • SHA256

    e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a

  • SHA512

    d248d8f1db0b34dcdee876e3a5e52e8585bfec4d49765458ea620b4276ed5a691deae5eb5007e37ce9979a919c3c8fc59de8fe617dcab6321719a6c8303e7934

  • SSDEEP

    12288:rClWWlTMKehR5IjmGRUqA6bARgoCfrgbisv69Wu:r3WlYKer2Wo0RgoCfriv+

Score
10/10
darkcometguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

microchip.myftp.org:80

microchip.myftp.org:5190

microchip.myftp.org:25

microchip.myftp.org:110

microchip.myftp.org:945
Mutex

DC_MUTEX-22M89DH

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    bNsEugEKgtYk

  • install

    true

  • offline_keylogger

    true

  • password

    pa$$w0rd117756

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a

    • Size

      636KB

    • MD5

      6aa8b96dc40d343ed01f71a98bc33dd0

    • SHA1

      f3054de583789ae77b90268b89b15842c81da48b

    • SHA256

      e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a

    • SHA512

      d248d8f1db0b34dcdee876e3a5e52e8585bfec4d49765458ea620b4276ed5a691deae5eb5007e37ce9979a919c3c8fc59de8fe617dcab6321719a6c8303e7934

    • SSDEEP

      12288:rClWWlTMKehR5IjmGRUqA6bARgoCfrgbisv69Wu:r3WlYKer2Wo0RgoCfriv+

    Score
    10/10
    darkcometguest16persistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks