Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b49bf9fb3415d3755afa3a8cd71434ffcb47ecd09e33648b53879b3c6008e8df

  • Size

    690KB

  • Sample

    221127-afr3aaac3v

  • MD5

    3c5d2b983954dda34a20869edd0ab20e

  • SHA1

    0ae98b776b37d6c26317afaa13b0b59f4342a0fe

  • SHA256

    b49bf9fb3415d3755afa3a8cd71434ffcb47ecd09e33648b53879b3c6008e8df

  • SHA512

    50b9af5fc454d4b4d1d3096a64e0121bfc555a49cc8a9d7516f2473f7584ef0d5e64e90f5842e34b4a3e2bdc7647883b31272d90c3d3a5bc64c2211a613342d6

  • SSDEEP

    12288:V9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hoJ:fZ1xuVVjfFoynPaVBUR8f+kN10EB6

Malware Config

Extracted

Family

darkcomet

Botnet

Bruh

C2

midnight8045.duckydns.org:5050

Mutex

DCMIN_MUTEX-AUKNFFR

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    HQTfAYDL9u0p

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      b49bf9fb3415d3755afa3a8cd71434ffcb47ecd09e33648b53879b3c6008e8df

    • Size

      690KB

    • MD5

      3c5d2b983954dda34a20869edd0ab20e

    • SHA1

      0ae98b776b37d6c26317afaa13b0b59f4342a0fe

    • SHA256

      b49bf9fb3415d3755afa3a8cd71434ffcb47ecd09e33648b53879b3c6008e8df

    • SHA512

      50b9af5fc454d4b4d1d3096a64e0121bfc555a49cc8a9d7516f2473f7584ef0d5e64e90f5842e34b4a3e2bdc7647883b31272d90c3d3a5bc64c2211a613342d6

    • SSDEEP

      12288:V9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hoJ:fZ1xuVVjfFoynPaVBUR8f+kN10EB6

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks