Resubmissions

19-11-2022 21:40

221119-1jgzlacd49 8

19-11-2022 13:48

221119-q4ed4adg34 10

19-11-2022 06:26

221119-g7aqmscg91 10

19-11-2022 05:30

221119-f67hjsbc8t 10

15-11-2022 20:50

221115-zm3j2abf6y 10

15-11-2022 20:50

221115-zmpm6sfh23 10

15-11-2022 20:49

221115-zl6kasfg98 10

15-11-2022 20:19

221115-y4ct9sff87 10

14-11-2022 19:39

221114-yc4tnsdb92 10

14-11-2022 19:34

221114-yakb9adb83 10

General

  • Target

    db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50

  • Size

    206KB

  • Sample

    221115-y4ct9sff87

  • MD5

    3c6bdf4c6b61e2d4603eafad076aa092

  • SHA1

    4ac90d351b8b8a135331be1ae059ebb823347fe1

  • SHA256

    2a6299dfcbcf3186ded295395c7028d651ff178df40d587b531b6bc25f2e3d3f

  • SHA512

    ddaac427bfbf4b1236b1f3d10ab6437eb88d63ec1a44326275eba56d455362e910334931d31b389ef27b51b9e4dde7ab2496ed2ceb5cdff894a86f103351bb37

  • SSDEEP

    6144:uFr8GBofok1bHyX1heFZU1EwFXGHPEuL+ahZ:uLCfoOTyXGQbFMPEib

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes
  • InstallPath

    AudioDriver\taskhost.exe

  • gencode

    EWSsWwgyJrUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    AudioDriver

Targets

    • Target

      db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50

    • Size

      307KB

    • MD5

      0abe50c1509136bf62d2184ab439e7a5

    • SHA1

      722a7e2a0dd66f506ba93d24946b8bf504b100c0

    • SHA256

      db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50

    • SHA512

      0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5

    • SSDEEP

      6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Detects Smokeloader packer

    • Modifies WinLogon for persistence

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks