Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55

  • Size

    915KB

  • Sample

    221030-xxtzjafba6

  • MD5

    81d66a2e08aaf9b51a82b734b86c9e80

  • SHA1

    48e5d46a6c5b95e1be88fa7a175a9d32358ec1dc

  • SHA256

    bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55

  • SHA512

    46c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d

  • SSDEEP

    24576:5N1fAXro36rn7cdkr+HBYKMUkM0m+UaPtS:HqXrFLgyaqKHkhm+PPt

Malware Config

Extracted

Family

darkcomet

Botnet

WIFE-US

C2

127.0.0.1:1604

linep.no-ip.org:1604

Mutex

DC_MUTEX-AMR7Z0X

Attributes
  • gencode

    WDR3l3d5DWC1

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55

    • Size

      915KB

    • MD5

      81d66a2e08aaf9b51a82b734b86c9e80

    • SHA1

      48e5d46a6c5b95e1be88fa7a175a9d32358ec1dc

    • SHA256

      bdce122320dd4dcbf31e169609b231cd1cf6de1bd6286cc3b75738bfbd1a6d55

    • SHA512

      46c21077a8fe9523038c64e0c5aa85a801299ac809b771237a111becf4acbfaaa7ce6a45668bdeafa9949b34dccbc19424258c739334e3a7418b620ba1eb272d

    • SSDEEP

      24576:5N1fAXro36rn7cdkr+HBYKMUkM0m+UaPtS:HqXrFLgyaqKHkhm+PPt

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks