Overview

overview

10

Static

static

e9977b64d7...d5.exe

windows7-x64

10

e9977b64d7...d5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5

  • Size

    764KB

  • Sample

    221003-qfzecsggc4

  • MD5

    46a672f6e852bd37395495f7a8d7f790

  • SHA1

    70fe5eb7f66daef78e117b3d032fdc0b5605fed4

  • SHA256

    e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5

  • SHA512

    8d87c50f2090f66d4fff9fa5b52c01fa4f6ca74b4ecc644b24c6a520debcbb8d1f3e044ca96f66cdd70c6224d7d4dbbd3c9002b3a4665098d4f196d3ed426c0e

  • SSDEEP

    12288:NNxpH49zf8v8VhfmbhIYvbO0C1m4JSqsj4LQ6eBWMAI++1p:NNH49L8ShMuh1/2j4LQ1B+a

Score
10/10
darkcomethackedevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

HACKED

C2

njhostaddbots.no-ip.org:1604

Mutex

DC_MUTEX-5LR8UFZ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    JQrCNZocD9Jw

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5

    • Size

      764KB

    • MD5

      46a672f6e852bd37395495f7a8d7f790

    • SHA1

      70fe5eb7f66daef78e117b3d032fdc0b5605fed4

    • SHA256

      e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5

    • SHA512

      8d87c50f2090f66d4fff9fa5b52c01fa4f6ca74b4ecc644b24c6a520debcbb8d1f3e044ca96f66cdd70c6224d7d4dbbd3c9002b3a4665098d4f196d3ed426c0e

    • SSDEEP

      12288:NNxpH49zf8v8VhfmbhIYvbO0C1m4JSqsj4LQ6eBWMAI++1p:NNH49L8ShMuh1/2j4LQ1B+a

    Score
    10/10
    darkcomethackedevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks