Overview

overview

10

Static

static

quotations.scr

windows7-x64

10

quotations.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    668c940714a02ba7bfa0aa4cbefbe8f396a0250060d5c7063c729f8fcc57a39c

  • Size

    721KB

  • Sample

    221123-vhqx8aha96

  • MD5

    5ad9bbaeb5b897d6709ccf6329344c4d

  • SHA1

    f38a08ddf26fba1195a8401cff466c47b2dd34b7

  • SHA256

    668c940714a02ba7bfa0aa4cbefbe8f396a0250060d5c7063c729f8fcc57a39c

  • SHA512

    b3ea1fc792ecb88da8141c0767dd74f00a4a97b92dde5874ae32eede400d0f5de4653789bba0b41b4a7d25fddfd6344b2211e3ca1555f1a5c05f19b8ea299513

  • SSDEEP

    12288:QzzZYjt20fxAt0AC2RV97RTyasToWMljuchmUvc0SeLPSoGDfj:QzzZmw0Wt00RxTyKlLUUvc0SISoGDfj

Score
10/10
darkcometguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

house10i.ddns.net:1604

Mutex

DC_MUTEX-L6GEJVR

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    uvQYcLsQZYrq

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      quotations.scr

    • Size

      869KB

    • MD5

      b3744139e8d3392ae463249ff04f917f

    • SHA1

      89094e0d61c52141499bf3d9b71db66486ac7d87

    • SHA256

      6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

    • SHA512

      f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

    • SSDEEP

      12288:1qQADfHsnjusfToB0+cARh97RPyGSTciWBjKchwebSSieLneTO7uA8a:HADfHWyssB0ER1PyUB3GebSSiweq7uA

    Score
    10/10
    darkcometguest16persistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks