Overview

overview

10

Static

static

10

99c729e892...aa.exe

windows7-x64

10

99c729e892...aa.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    99c729e892438d9b00c453b460eefa51c1739fd402e8c58c71b01a12643d55aa

  • Size

    349KB

  • Sample

    221122-y5z17afh47

  • MD5

    201f5f02fc1285afd214c8f30d3c55a1

  • SHA1

    b545aa3c8633d99c6f51d6d12f1ee15e05d25489

  • SHA256

    99c729e892438d9b00c453b460eefa51c1739fd402e8c58c71b01a12643d55aa

  • SHA512

    f74a13627192e7434067692633f9ca696a4aaaee3c9e2c6a7b97aebc4716f69922c1a337a5cffa999867d29b727c6d18ea52d1cf2774f8420b780b8cfe3df614

  • SSDEEP

    6144:DcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37iQi:DcW7KEZlPzCy37

Score
10/10
darkcometslavesevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

SLAVES

C2

jonas2000.no-ip.org:1700

Mutex

DC_MUTEX-7VS54A6

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    jDkdF6ykRc7c

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      99c729e892438d9b00c453b460eefa51c1739fd402e8c58c71b01a12643d55aa

    • Size

      349KB

    • MD5

      201f5f02fc1285afd214c8f30d3c55a1

    • SHA1

      b545aa3c8633d99c6f51d6d12f1ee15e05d25489

    • SHA256

      99c729e892438d9b00c453b460eefa51c1739fd402e8c58c71b01a12643d55aa

    • SHA512

      f74a13627192e7434067692633f9ca696a4aaaee3c9e2c6a7b97aebc4716f69922c1a337a5cffa999867d29b727c6d18ea52d1cf2774f8420b780b8cfe3df614

    • SSDEEP

      6144:DcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37iQi:DcW7KEZlPzCy37

    Score
    10/10
    darkcometslavesevasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks