Overview

overview

10

Static

static

8b06f2e6da...47.exe

windows7-x64

10

8b06f2e6da...47.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b06f2e6daad66479102faa65ba46b40d5cd6e3335cf3902971dcd753b37d347

  • Size

    5.0MB

  • Sample

    221123-vkqp8shc62

  • MD5

    9580c6ee0ec3d08c29020c0dbff23cfa

  • SHA1

    4f8ee5461fe1300e42bfb62747597ed6e339ff29

  • SHA256

    8b06f2e6daad66479102faa65ba46b40d5cd6e3335cf3902971dcd753b37d347

  • SHA512

    491aef0102cbd7d9816b79dac6673607119bc7778c0e1564dc5e60dea6ca265530771fe7855843126fe9322871d50e52aab210984951571468a90805f0bf2f79

  • SSDEEP

    24576:57xgtwBETvT1r+gjhgMp6RZ+XI7vkb4u+yEZEWkc5wiOCjIlwfo915SQEtxZiQWT:36wwv5nh4RWIhltp67CMwfe1+tKSM5

Score
10/10
darkcometcrypto botpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Crypto Bot

C2

estherr.no-ip.biz:5604

Mutex

DC_MUTEX-4P0JZTL

Attributes
  • gencode

    x1lNFj9h0ysn

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      8b06f2e6daad66479102faa65ba46b40d5cd6e3335cf3902971dcd753b37d347

    • Size

      5.0MB

    • MD5

      9580c6ee0ec3d08c29020c0dbff23cfa

    • SHA1

      4f8ee5461fe1300e42bfb62747597ed6e339ff29

    • SHA256

      8b06f2e6daad66479102faa65ba46b40d5cd6e3335cf3902971dcd753b37d347

    • SHA512

      491aef0102cbd7d9816b79dac6673607119bc7778c0e1564dc5e60dea6ca265530771fe7855843126fe9322871d50e52aab210984951571468a90805f0bf2f79

    • SSDEEP

      24576:57xgtwBETvT1r+gjhgMp6RZ+XI7vkb4u+yEZEWkc5wiOCjIlwfo915SQEtxZiQWT:36wwv5nh4RWIhltp67CMwfe1+tKSM5

    Score
    10/10
    darkcometcrypto botpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks