Overview

overview

10

Static

static

0797ecf215...b7.exe

windows7-x64

10

0797ecf215...b7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0797ecf215ad293bb9cec8cc8d7c48721866a224585490bf3993910366b134b7

  • Size

    736KB

  • Sample

    221128-xkhqqsha27

  • MD5

    aa790ff4f430ab3af619c31d4d0d9c92

  • SHA1

    8fe417542db5fe0671fb164bbdc9973e6c48f73a

  • SHA256

    0797ecf215ad293bb9cec8cc8d7c48721866a224585490bf3993910366b134b7

  • SHA512

    abfa2156fbeba332ca669cc54c7c75f58fcdc57546ef6f4244217ab2471b106a32d35c9348ca3a22294c2fbcb0ea1f3416b32617aa84bd29372fbf0a0f6e0031

  • SSDEEP

    12288:a5gTvBHv8dtRtpkxG/2VDFQa5xfUGXp/s0RpirOIAp555:aQBHv8dtR/kCcQcxfUG5U2pirB

Score
10/10
darkcometv1evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

v1

C2

easytoremember.no-ip.biz:9003

Mutex

DC_MUTEX-RHEVRRJ

Attributes
  • InstallPath

    GoogleUpdate\updater.exe

  • gencode

    3bnD3E1CbrMc

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    googleupdate

Targets

    • Target

      0797ecf215ad293bb9cec8cc8d7c48721866a224585490bf3993910366b134b7

    • Size

      736KB

    • MD5

      aa790ff4f430ab3af619c31d4d0d9c92

    • SHA1

      8fe417542db5fe0671fb164bbdc9973e6c48f73a

    • SHA256

      0797ecf215ad293bb9cec8cc8d7c48721866a224585490bf3993910366b134b7

    • SHA512

      abfa2156fbeba332ca669cc54c7c75f58fcdc57546ef6f4244217ab2471b106a32d35c9348ca3a22294c2fbcb0ea1f3416b32617aa84bd29372fbf0a0f6e0031

    • SSDEEP

      12288:a5gTvBHv8dtRtpkxG/2VDFQa5xfUGXp/s0RpirOIAp555:aQBHv8dtR/kCcQcxfUG5U2pirB

    Score
    10/10
    darkcometv1evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks