darkcomet | 89f3bc10ad7748145c44f746066f152f6ccf05e3511c2bfa5873dddc00a03aa6 | Triage

Submit
Reports

Overview

overview

Static

static

89f3bc10ad...a6.exe

windows7-x64

89f3bc10ad...a6.exe

windows10-2004-x64

Sharing

General

Target

89f3bc10ad7748145c44f746066f152f6ccf05e3511c2bfa5873dddc00a03aa6
Size

723KB
Sample

221126-dff7kabc61
MD5

b25bd71e8613309be7244bfa481251a3
SHA1

c1a3de591c2fd1eb0e3e48ea605682e05944ff64
SHA256

89f3bc10ad7748145c44f746066f152f6ccf05e3511c2bfa5873dddc00a03aa6
SHA512

8b711da64fdfd0185fff31afb54bdce3b14c2fd8a6e282ee7a28728d69c899fb6bbf815ef10380cf85389fdf0e28bdf30633c0e05ac7a90d14694cf43ac3c118
SSDEEP

12288:4a9qf8JfWTEa2uD/hCknCwpxKUHolNuPNcz6wNUKW4ZM+MJyXmEG:4awk6Ea2/kCSYYAN+czrUK3DG

Score

10^/10

darkcomet neshta dos evasion persistence rat spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

89f3bc10ad7748145c44f746066f152f6ccf05e3511c2bfa5873dddc00a03aa6.exe

Resource

win7-20220901-en

darkcomet neshta dos evasion persistence rat spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

89f3bc10ad7748145c44f746066f152f6ccf05e3511c2bfa5873dddc00a03aa6.exe

Resource

win10v2004-20220901-en

darkcomet neshta dos evasion persistence rat spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

DOS

C2

85.93.52.232:1604

Mutex

DC_MUTEX-HJF80AB

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
lFGSk0NKV6by
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  89f3bc10ad7748145c44f746066f152f6ccf05e3511c2bfa5873dddc00a03aa6
- Size
  
  723KB
- MD5
  
  b25bd71e8613309be7244bfa481251a3
- SHA1
  
  c1a3de591c2fd1eb0e3e48ea605682e05944ff64
- SHA256
  
  89f3bc10ad7748145c44f746066f152f6ccf05e3511c2bfa5873dddc00a03aa6
- SHA512
  
  8b711da64fdfd0185fff31afb54bdce3b14c2fd8a6e282ee7a28728d69c899fb6bbf815ef10380cf85389fdf0e28bdf30633c0e05ac7a90d14694cf43ac3c118
- SSDEEP
  
  12288:4a9qf8JfWTEa2uD/hCknCwpxKUHolNuPNcz6wNUKW4ZM+MJyXmEG:4awk6Ea2/kCSYYAN+czrUK3DG
Score

10^/10

darkcomet neshta dos evasion persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Detect Neshta payload
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometneshtadosevasionpersistenceratspywarestealertrojan

behavioral2

darkcometneshtadosevasionpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy