Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381

  • Size

    758KB

  • Sample

    221127-2f8tkshc8z

  • MD5

    984cc506b7124dafeb1a401124d315b7

  • SHA1

    e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798

  • SHA256

    5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381

  • SHA512

    de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834

  • SSDEEP

    12288:rXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Ul:znAw2WWeFcfbP9VPSPMTSPL/rWvzq4JV

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

blinko.no-ip.biz:1604

Mutex

DC_MUTEX-XEP2LCR

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Qx6wzbzu70U9

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381

    • Size

      758KB

    • MD5

      984cc506b7124dafeb1a401124d315b7

    • SHA1

      e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798

    • SHA256

      5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381

    • SHA512

      de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834

    • SSDEEP

      12288:rXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Ul:znAw2WWeFcfbP9VPSPMTSPL/rWvzq4JV

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks