Overview

overview

10

Static

static

ddd2d7bdce...e7.exe

windows7-x64

10

ddd2d7bdce...e7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ddd2d7bdce44a310ad556546fea28779c5681038e43173f3f2634b02bb667de7

  • Size

    644KB

  • Sample

    221003-b7wefscffq

  • MD5

    43a0f72e171d7fd4f453df50b0084bf0

  • SHA1

    9077d663a1e5f11bc3d321702191322ec27640a2

  • SHA256

    ddd2d7bdce44a310ad556546fea28779c5681038e43173f3f2634b02bb667de7

  • SHA512

    5ac828f7e5978608c0978fc25dadae168d812d571de222a2dd959e0a5beb4c7c07936fe469f65cc8aa5827822fe6e99fc7227e746e8b7ea85c180d7917002364

  • SSDEEP

    12288:BDzjXIrL/9Pz7zZEuur8ci6RuFvvaipMT47mdbgLZVcp5T8zis4tj:lzjWFcAciDp3pdmdbCVcpJQirj

Score
10/10
darkcometozo ego e moneyevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

OZO EGO E MONEY

C2

ozowarac.duckdns.org:3361

Mutex

GEGGGGGG

Attributes
  • gencode

    w12MLsqVoZu3

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      ddd2d7bdce44a310ad556546fea28779c5681038e43173f3f2634b02bb667de7

    • Size

      644KB

    • MD5

      43a0f72e171d7fd4f453df50b0084bf0

    • SHA1

      9077d663a1e5f11bc3d321702191322ec27640a2

    • SHA256

      ddd2d7bdce44a310ad556546fea28779c5681038e43173f3f2634b02bb667de7

    • SHA512

      5ac828f7e5978608c0978fc25dadae168d812d571de222a2dd959e0a5beb4c7c07936fe469f65cc8aa5827822fe6e99fc7227e746e8b7ea85c180d7917002364

    • SSDEEP

      12288:BDzjXIrL/9Pz7zZEuur8ci6RuFvvaipMT47mdbgLZVcp5T8zis4tj:lzjWFcAciDp3pdmdbCVcpJQirj

    Score
    10/10
    darkcometozo ego e moneyevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks