darkcomet | c8b0cc09763b5168e41a187d1437c81934dbf8dfc08f57aff0d0516c93860eae | Triage

Submit
Reports

Overview

overview

Static

static

8

c8b0cc0976...ae.exe

windows7-x64

c8b0cc0976...ae.exe

windows10-2004-x64

Sharing

General

Target

c8b0cc09763b5168e41a187d1437c81934dbf8dfc08f57aff0d0516c93860eae
Size

406KB
Sample

221126-21s9mabg35
MD5

102efc2dd38871d71cd3930bacca6274
SHA1

b8163edb8f989d6eefaf3fc5a603f5251691f5f8
SHA256

c8b0cc09763b5168e41a187d1437c81934dbf8dfc08f57aff0d0516c93860eae
SHA512

bbc3367a2aa06c529d5dbe2860b659606a6433554011abe0a4011543432cac5ad21a18a92377cc2609c7b0bbd4203620034f64d159ec924453f027d0469d88e3
SSDEEP

6144:mcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37uwww0JwwmSnvYqm9nxLW0Bs/kw:mcW7KEZlPzCy37p2L

Score

10^/10

darkcomet ramnit guest16 banker evasion persistence rat spyware stealer trojan upx worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c8b0cc09763b5168e41a187d1437c81934dbf8dfc08f57aff0d0516c93860eae.exe

Resource

win7-20220812-en

darkcomet ramnit guest16 banker evasion persistence rat spyware stealer trojan upx worm

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

c8b0cc09763b5168e41a187d1437c81934dbf8dfc08f57aff0d0516c93860eae.exe

Resource

win10v2004-20220901-en

darkcomet ramnit guest16 banker evasion persistence rat spyware stealer trojan upx worm

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.0.103:1604

Mutex

DC_MUTEX-KQHPF2S

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
lyoggkBoDnrh
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  c8b0cc09763b5168e41a187d1437c81934dbf8dfc08f57aff0d0516c93860eae
- Size
  
  406KB
- MD5
  
  102efc2dd38871d71cd3930bacca6274
- SHA1
  
  b8163edb8f989d6eefaf3fc5a603f5251691f5f8
- SHA256
  
  c8b0cc09763b5168e41a187d1437c81934dbf8dfc08f57aff0d0516c93860eae
- SHA512
  
  bbc3367a2aa06c529d5dbe2860b659606a6433554011abe0a4011543432cac5ad21a18a92377cc2609c7b0bbd4203620034f64d159ec924453f027d0469d88e3
- SSDEEP
  
  6144:mcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37uwww0JwwmSnvYqm9nxLW0Bs/kw:mcW7KEZlPzCy37p2L
Score

10^/10

darkcomet ramnit guest16 banker evasion persistence rat spyware stealer trojan upx worm
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometramnitguest16bankerevasionpersistenceratspywarestealertrojanupxworm

behavioral2

darkcometramnitguest16bankerevasionpersistenceratspywarestealertrojanupxworm

© 2018-2024

Terms | Privacy