Overview

overview

10

Static

static

f582179374...52.exe

windows7-x64

10

f582179374...52.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52

  • Size

    1.2MB

  • Sample

    221127-l8tblahe35

  • MD5

    6966f74e9d8f1a376ea379f9fcc206a2

  • SHA1

    3686d3a9a07ed9f9bda256df9cd2e5604c84de2f

  • SHA256

    f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52

  • SHA512

    0cf914ae8cf954000a526584c01028409188a19ed4b2910618ed458fa76e3fcf5f0df6fb32b8e9b256535f2d07ebee834c7e5357fd3e597b6803bbd0dd1e0336

  • SSDEEP

    12288:C+0Qo6Vv9vkeeP2d+1bmXlZeGB3EHPiiyPP+Mxb1:C+0Z6Vdkeea+1i0iiyPFxZ

Score
10/10
darkcometinfectedevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Infected

C2

dcnew.ddns.net:1604

Mutex

DC_MUTEX-R5E5D6N

Attributes
  • InstallPath

    WindowsDefencler\WindowsDefencler.exe

  • gencode

    J8TDDtLHxoYC

  • install

    true

  • offline_keylogger

    true

  • password

    00000

  • persistence

    true

  • reg_key

    WindowsDefencler

Targets

    • Target

      f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52

    • Size

      1.2MB

    • MD5

      6966f74e9d8f1a376ea379f9fcc206a2

    • SHA1

      3686d3a9a07ed9f9bda256df9cd2e5604c84de2f

    • SHA256

      f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52

    • SHA512

      0cf914ae8cf954000a526584c01028409188a19ed4b2910618ed458fa76e3fcf5f0df6fb32b8e9b256535f2d07ebee834c7e5357fd3e597b6803bbd0dd1e0336

    • SSDEEP

      12288:C+0Qo6Vv9vkeeP2d+1bmXlZeGB3EHPiiyPP+Mxb1:C+0Z6Vdkeea+1i0iiyPFxZ

    Score
    10/10
    darkcometinfectedevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks