Overview

overview

10

Static

static

98f8775972...34.exe

windows7-x64

8

98f8775972...34.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    98f8775972ce2b704de74a952c53101a4d42f777ba1214db227985adcf12c934

  • Size

    908KB

  • Sample

    221021-wzvs6saac8

  • MD5

    117f5f5a40175e5b63b937fa63645ca5

  • SHA1

    715119d908b7101e9797166e6f5d1438e2a51df2

  • SHA256

    98f8775972ce2b704de74a952c53101a4d42f777ba1214db227985adcf12c934

  • SHA512

    3d08e067ab0f6ff730bd5cdcbf6a3b20a546a8b401abbe23b059f810e3f82aed208908673d552774482ac93f9c3373ccb4fca97b5e99afd78ef8f6800ea3fe61

  • SSDEEP

    24576:k5Xf3yEvbZQGACw+RtY/+TVJIsK/BJt977B:CXfyEvqYY+ToX977B

Score
10/10
darkcomettest1evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Test1

C2

jordanshaw.no-ip.biz:23712

Mutex

DC_MUTEX-EZPTVK1

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    tgPdxeA573G3

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Rundll32

Targets

    • Target

      98f8775972ce2b704de74a952c53101a4d42f777ba1214db227985adcf12c934

    • Size

      908KB

    • MD5

      117f5f5a40175e5b63b937fa63645ca5

    • SHA1

      715119d908b7101e9797166e6f5d1438e2a51df2

    • SHA256

      98f8775972ce2b704de74a952c53101a4d42f777ba1214db227985adcf12c934

    • SHA512

      3d08e067ab0f6ff730bd5cdcbf6a3b20a546a8b401abbe23b059f810e3f82aed208908673d552774482ac93f9c3373ccb4fca97b5e99afd78ef8f6800ea3fe61

    • SSDEEP

      24576:k5Xf3yEvbZQGACw+RtY/+TVJIsK/BJt977B:CXfyEvqYY+ToX977B

    Score
    10/10
    evasiondarkcomettest1persistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks