Resubmissions

18-11-2022 14:52

221118-r85mhshf55 1

08-11-2022 14:30

221108-rvcpkscaa3 8

07-11-2022 15:52

221107-tbh4csefh4 8

07-11-2022 10:35

221107-mm5m6secgn 1

06-11-2022 13:08

221106-qdjk5aehgj 9

05-11-2022 20:23

221105-y589vsbhcj 8

05-11-2022 16:11

221105-tm8s6aaggj 10

05-11-2022 07:34

221105-jd7jmaggal 8

04-11-2022 20:40

221104-zgabascfgq 8

General

  • Target

    https://github.com

  • Sample

    221104-yrp9tsaed9

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes
  • InstallPath

    AudioDriver\taskhost.exe

  • gencode

    EWSsWwgyJrUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    AudioDriver

Targets

    • Target

      https://github.com

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Process Discovery

1
T1057

Tasks