Overview

overview

10

Static

static

eac97654d0...a7.exe

windows7-x64

1

eac97654d0...a7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eac97654d08020adbfe753a3b202202b5c62589e34f2097cd71a8a8d8b14bda7

  • Size

    825KB

  • Sample

    221030-nx2vpsadan

  • MD5

    5a6b430cc8ebd6b4ea8aab5833a1cbdf

  • SHA1

    99c87aecf5a7b5658fd1352dc97ad148a2545f2c

  • SHA256

    eac97654d08020adbfe753a3b202202b5c62589e34f2097cd71a8a8d8b14bda7

  • SHA512

    9ac2a08bf0983c570cc143b2b4f7f5db36c092a1159979063d3d9719eae3913c1b765eab242823008951f56cb4bc69edef2b46be894f3d35310ff6565ca58922

  • SSDEEP

    24576:74nInLWoUHdj79beliFLfqd0c4ifqPHdvj5yL5j:MILWtHXFDvhHHdrkp

Score
10/10
darkcomet2evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

2

C2

127.0.0.1:1604

Mutex

DC_MUTEX-HPTFP88

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    A4rqb41NhVrE

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      eac97654d08020adbfe753a3b202202b5c62589e34f2097cd71a8a8d8b14bda7

    • Size

      825KB

    • MD5

      5a6b430cc8ebd6b4ea8aab5833a1cbdf

    • SHA1

      99c87aecf5a7b5658fd1352dc97ad148a2545f2c

    • SHA256

      eac97654d08020adbfe753a3b202202b5c62589e34f2097cd71a8a8d8b14bda7

    • SHA512

      9ac2a08bf0983c570cc143b2b4f7f5db36c092a1159979063d3d9719eae3913c1b765eab242823008951f56cb4bc69edef2b46be894f3d35310ff6565ca58922

    • SSDEEP

      24576:74nInLWoUHdj79beliFLfqd0c4ifqPHdvj5yL5j:MILWtHXFDvhHHdrkp

    Score
    10/10
    darkcomet2evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks