darkcomet | 557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced | Triage

Submit
Reports

Overview

overview

Static

static

557e5a41f5...ed.exe

windows7-x64

557e5a41f5...ed.exe

windows10-2004-x64

Sharing

General

Target

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
Size

713KB
Sample

221126-dfj88abc7v
MD5

4e99032cf799aad0a5b32fda617d3498
SHA1

e67deed6bfe806777b04266274713f3ed207fbff
SHA256

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
SHA512

21aa9b2b080684fb976ce3f1a97b51159feb7a8113e30375ae63ae929b49ef35782755dd4c35b3d5f1c1a4955638532839e31a885e475c8f867c4ba2799453e3
SSDEEP

12288:aKkRlAZIWi9UnAqyYkYIxPzO7/zeGI/l6HijbiPFFJuPLn:asZIWvnAGkYuqbvH7yPj

Score

10^/10

darkcomet neshta guest16 persistence rat spyware stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Resource

win7-20220812-en

darkcomet neshta guest16 persistence rat spyware stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced.exe

Resource

win10v2004-20220812-en

darkcomet neshta guest16 persistence rat spyware stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

85.93.52.232:1604

Mutex

DC_MUTEX-X9V30LL

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
PMQDeEGAfQts
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
- Size
  
  713KB
- MD5
  
  4e99032cf799aad0a5b32fda617d3498
- SHA1
  
  e67deed6bfe806777b04266274713f3ed207fbff
- SHA256
  
  557e5a41f5e61261452454142d9e847e76bee97c7275525bc11c2b0a1ecb5ced
- SHA512
  
  21aa9b2b080684fb976ce3f1a97b51159feb7a8113e30375ae63ae929b49ef35782755dd4c35b3d5f1c1a4955638532839e31a885e475c8f867c4ba2799453e3
- SSDEEP
  
  12288:aKkRlAZIWi9UnAqyYkYIxPzO7/zeGI/l6HijbiPFFJuPLn:asZIWvnAGkYuqbvH7yPj
Score

10^/10

darkcomet neshta guest16 persistence rat spyware stealer trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Detect Neshta payload
- Modifies WinLogon for persistence
  persistence
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometneshtaguest16persistenceratspywarestealertrojanupx

behavioral2

darkcometneshtaguest16persistenceratspywarestealertrojanupx

© 2018-2024

Terms | Privacy