Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c

  • Size

    1.6MB

  • Sample

    221127-nnhqgadd98

  • MD5

    eadb15713eac3cdd68ba2894159c712a

  • SHA1

    5d5e3b7f6fb857962e4e0bae1621f92c6d079a5c

  • SHA256

    82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c

  • SHA512

    c361424c7fc256197857be6cb29527bb977dbb2a78e5ad84421f81becf973d2a70e26e7aa149706357b3c78457c09e7b91d72348bbc505b8fbf76e95e79c405b

  • SSDEEP

    49152:Xz1Yx8+L3BF4oyfKjyecVkpmldm+kzTSC:XhW9K5ijypCpmi+kzTx

Malware Config

Extracted

Family

darkcomet

Botnet

newstub

C2

warrior0007.no-ip.biz:1604

warrior0007.no-ip.biz:8027

Mutex

DC_MUTEX-WXZ81F5

Attributes
  • gencode

    hea0E4tQnUVF

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c

    • Size

      1.6MB

    • MD5

      eadb15713eac3cdd68ba2894159c712a

    • SHA1

      5d5e3b7f6fb857962e4e0bae1621f92c6d079a5c

    • SHA256

      82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c

    • SHA512

      c361424c7fc256197857be6cb29527bb977dbb2a78e5ad84421f81becf973d2a70e26e7aa149706357b3c78457c09e7b91d72348bbc505b8fbf76e95e79c405b

    • SSDEEP

      49152:Xz1Yx8+L3BF4oyfKjyecVkpmldm+kzTSC:XhW9K5ijypCpmi+kzTx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks