Overview

overview

10

Static

static

f695eb089d...6c.exe

windows7-x64

10

f695eb089d...6c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c

  • Size

    676KB

  • Sample

    221002-kyh77shfhq

  • MD5

    58d950929edcfc0a3f1def7620d62fd0

  • SHA1

    d062ad6abfc4bf4e5491b70b1200ca2ff7922904

  • SHA256

    f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c

  • SHA512

    cf23ac522ef46f3f42be5e79d36e4c189bee8a1d282fdccec12ffb97e7200fcce4f161b17030c8ea5c90d99be7926732b25f4ab25886f8a3e6466021cfec5fb4

  • SSDEEP

    12288:2QMuiMQn3i8BpVCFeKq9Ipo90lbKSpuQO2tW05l6qK8sWg4gPp73:wrBpMMKGIpu/jJ2EYl6qdgjd

Score
10/10
darkcometguest16discoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

79.172.26.136:1604

Mutex

DC_MUTEX-HN17VDB

Attributes
  • InstallPath

    System32\Drivers.exe

  • gencode

    T3NMNGnXGHkl

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c

    • Size

      676KB

    • MD5

      58d950929edcfc0a3f1def7620d62fd0

    • SHA1

      d062ad6abfc4bf4e5491b70b1200ca2ff7922904

    • SHA256

      f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c

    • SHA512

      cf23ac522ef46f3f42be5e79d36e4c189bee8a1d282fdccec12ffb97e7200fcce4f161b17030c8ea5c90d99be7926732b25f4ab25886f8a3e6466021cfec5fb4

    • SSDEEP

      12288:2QMuiMQn3i8BpVCFeKq9Ipo90lbKSpuQO2tW05l6qK8sWg4gPp73:wrBpMMKGIpu/jJ2EYl6qdgjd

    Score
    10/10
    darkcometguest16discoveryevasionpersistenceratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks