Overview

overview

10

Static

static

10

fbae158ac6...f8.exe

windows7-x64

10

fbae158ac6...f8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8

  • Size

    699KB

  • Sample

    221126-de2rwabc5t

  • MD5

    bb504aa1e8a618ae1100250b990a0bfe

  • SHA1

    446a7dd6c070cd836f44ea64885e2092aa51e19c

  • SHA256

    fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8

  • SHA512

    ebd509cae43cb74e11ecbc6a37f2425107b3b2145085eb0ff3941ce91c0ad7a4a3771d4863a2ecdcda77c3d6c9087ba271a7edb548e4efb16b47554de9115508

  • SSDEEP

    12288:TmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyF0/9HMeF:TBIGkbxqEcjsWiDxguehC2S7pj

Score
10/10
darkcometneshtadosevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

DoS

C2

127.0.0.1:1604

Mutex

DC_MUTEX-D1GBSEM

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Vt4jEdLB1t28

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8

    • Size

      699KB

    • MD5

      bb504aa1e8a618ae1100250b990a0bfe

    • SHA1

      446a7dd6c070cd836f44ea64885e2092aa51e19c

    • SHA256

      fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8

    • SHA512

      ebd509cae43cb74e11ecbc6a37f2425107b3b2145085eb0ff3941ce91c0ad7a4a3771d4863a2ecdcda77c3d6c9087ba271a7edb548e4efb16b47554de9115508

    • SSDEEP

      12288:TmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyF0/9HMeF:TBIGkbxqEcjsWiDxguehC2S7pj

    Score
    10/10
    darkcometneshtadosevasionpersistenceratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Detect Neshta payload

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks