darkcomet | 60040b6228aec0439d42fa0cea6347ac41626a2750b532dd0e01d6b88e0a4554 | Triage

Submit
Reports

Overview

overview

Static

static

60040b6228...54.exe

windows7-x64

60040b6228...54.exe

windows10-2004-x64

Sharing

General

Target

60040b6228aec0439d42fa0cea6347ac41626a2750b532dd0e01d6b88e0a4554
Size

309KB
Sample

221108-y92qksfgd3
MD5

098c182508b120ea5aecb3bfe0a40c70
SHA1

a09b9ce8b8712cf5277213d18246cd9c0947bef9
SHA256

60040b6228aec0439d42fa0cea6347ac41626a2750b532dd0e01d6b88e0a4554
SHA512

c1a61730d4579e2556731fabb3e2096e3eb6f68c1d66f54f45fc903a279becb5e470f9346689a1cd79751b12a652b59dde579b00758f8b3e8d4e84ca84f51829
SSDEEP

6144:0ONclWWRnUh8i2sgUUJ5p9+RUkARNTO5sNjOkK7rV8L7ilH5:3/CiNmp9+RUrLO5sxK7R8KlZ

Score

10^/10

darkcomet modiloader hf persistence rat trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

60040b6228aec0439d42fa0cea6347ac41626a2750b532dd0e01d6b88e0a4554.exe

Resource

win7-20220901-en

darkcomet modiloader hf persistence rat trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

60040b6228aec0439d42fa0cea6347ac41626a2750b532dd0e01d6b88e0a4554.exe

Resource

win10v2004-20220901-en

darkcomet modiloader hf persistence rat trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

woxpaska.no-ip.org:1604

Mutex

DC_MUTEX-RZ3HY47

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2BAgScd4816q
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  60040b6228aec0439d42fa0cea6347ac41626a2750b532dd0e01d6b88e0a4554
- Size
  
  309KB
- MD5
  
  098c182508b120ea5aecb3bfe0a40c70
- SHA1
  
  a09b9ce8b8712cf5277213d18246cd9c0947bef9
- SHA256
  
  60040b6228aec0439d42fa0cea6347ac41626a2750b532dd0e01d6b88e0a4554
- SHA512
  
  c1a61730d4579e2556731fabb3e2096e3eb6f68c1d66f54f45fc903a279becb5e470f9346689a1cd79751b12a652b59dde579b00758f8b3e8d4e84ca84f51829
- SSDEEP
  
  6144:0ONclWWRnUh8i2sgUUJ5p9+RUkARNTO5sNjOkK7rV8L7ilH5:3/CiNmp9+RUrLO5sxK7R8KlZ
Score

10^/10

darkcomet modiloader hf persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- ModiLoader Second Stage
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometmodiloaderhfpersistencerattrojanupx

behavioral2

darkcometmodiloaderhfpersistencerattrojanupx

© 2018-2024

Terms | Privacy