Overview

overview

10

Static

static

c2e9570d4f...59.exe

windows7-x64

10

c2e9570d4f...59.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59

  • Size

    449KB

  • Sample

    221128-b378fsae4v

  • MD5

    e10ca314d5cc8d7643aff2acd14b8696

  • SHA1

    ff0e4023caa46ba078be0645c132b072a945d4f3

  • SHA256

    c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59

  • SHA512

    6b0777d52ea3f4e96185ec826d4637fd4f32ae604eec05ee2a6e83ac28b85bbb7a1ecb1ed9d0eb5b2996243b6317c39ee995f5539ba06551e119dea7c163414b

  • SSDEEP

    6144:59ts21gkJMMMyMEv1Goh7TJTX9sIsQkiFIk6/mFDe9Sqhq7nj/I0JIY7+qga:LtsiX2MFNgoRT1XasIk6CCVqA0Jd+q

Score
10/10
darkcometmodiloadertellpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

tell

C2

ddos.duia.ro:443

Mutex

DCMIN_MUTEX-E61LPZQ

Attributes
  • InstallPath

    notepad.exe

  • gencode

    STE5MstR9N7H

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    Host process

Targets

    • Target

      c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59

    • Size

      449KB

    • MD5

      e10ca314d5cc8d7643aff2acd14b8696

    • SHA1

      ff0e4023caa46ba078be0645c132b072a945d4f3

    • SHA256

      c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59

    • SHA512

      6b0777d52ea3f4e96185ec826d4637fd4f32ae604eec05ee2a6e83ac28b85bbb7a1ecb1ed9d0eb5b2996243b6317c39ee995f5539ba06551e119dea7c163414b

    • SSDEEP

      6144:59ts21gkJMMMyMEv1Goh7TJTX9sIsQkiFIk6/mFDe9Sqhq7nj/I0JIY7+qga:LtsiX2MFNgoRT1XasIk6CCVqA0Jd+q

    Score
    10/10
    darkcometmodiloadertellpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • ModiLoader Second Stage

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks