Overview

overview

10

Static

static

2fb5773088...ab.exe

windows7-x64

10

2fb5773088...ab.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab

  • Size

    747KB

  • Sample

    221012-vasrvacbcl

  • MD5

    60ff825e3ff5052c835683f1fb29c120

  • SHA1

    a9cfe3bf2cec17f9418796472f7df10c8e185bd9

  • SHA256

    2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab

  • SHA512

    0aa723755a46c73991222a6c30d566f2cbf5b803846741b8c03e638af77c9af62e08a000e6421ba2b48f97d2d66cee02cee6fa762d75b28e140f7ba3f2d18d3c

  • SSDEEP

    12288:AWK7oOJcwYaz1scSsuvKfKdEJuw/p4ot36uddMVL88Dp76c:6Fttz1sZspidZw/6wmV16

Score
10/10
darkcometslavesevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

slaves

C2

droplul.no-ip.biz:1604

Mutex

DC_MUTEX-0CW3JAL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    zV0CJmM1DVd0

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab

    • Size

      747KB

    • MD5

      60ff825e3ff5052c835683f1fb29c120

    • SHA1

      a9cfe3bf2cec17f9418796472f7df10c8e185bd9

    • SHA256

      2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab

    • SHA512

      0aa723755a46c73991222a6c30d566f2cbf5b803846741b8c03e638af77c9af62e08a000e6421ba2b48f97d2d66cee02cee6fa762d75b28e140f7ba3f2d18d3c

    • SSDEEP

      12288:AWK7oOJcwYaz1scSsuvKfKdEJuw/p4ot36uddMVL88Dp76c:6Fttz1sZspidZw/6wmV16

    Score
    10/10
    darkcometslavesevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks