Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e

  • Size

    681KB

  • Sample

    221011-k9lgpsfgb3

  • MD5

    4e0811569886759752e02fe7cb9d2a90

  • SHA1

    b7d1288f56c430e1e65b5034c938b38a986f228a

  • SHA256

    5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e

  • SHA512

    b9c7ab963b07d1416d5f119c52a8c2577157b7a780d73678e54aa871ac67f42f81a2f3d0af88568e1b3395d2609d5a0fb628b85c1ba40a88e70aa9f0445a763e

  • SSDEEP

    12288:r9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hD:lZ1xuVVjfFoynPaVBUR8f+kN10EBB

Malware Config

Extracted

Family

darkcomet

Botnet

jaja

C2

darkcomet9912.no-ip.biz:80

darkcomet9912.no-ip.biz:82

darkcomet9912.no-ip.biz:10048

81.190.65.57:10048

81.190.65.57:82

81.190.65.57:80

Mutex

DC_MUTEX-E9RCJ06

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    1ue7ZRVqVhWU

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Update

Targets

    • Target

      5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e

    • Size

      681KB

    • MD5

      4e0811569886759752e02fe7cb9d2a90

    • SHA1

      b7d1288f56c430e1e65b5034c938b38a986f228a

    • SHA256

      5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e

    • SHA512

      b9c7ab963b07d1416d5f119c52a8c2577157b7a780d73678e54aa871ac67f42f81a2f3d0af88568e1b3395d2609d5a0fb628b85c1ba40a88e70aa9f0445a763e

    • SSDEEP

      12288:r9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hD:lZ1xuVVjfFoynPaVBUR8f+kN10EBB

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks