darkcomet | c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf | Triage

Submit
Reports

Overview

overview

Static

static

8

c13f35c0dc...cf.exe

windows7-x64

c13f35c0dc...cf.exe

windows10-2004-x64

Sharing

General

Target

c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
Size

308KB
Sample

221128-ymfvlace79
MD5

733874ca87d54ba711a1a366e9601261
SHA1

69fbaa4bb1f9f4b3736041f374d2f3f108672b38
SHA256

c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
SHA512

885524d4c8271fc1cc6daf6203abbcb182dcb349b8ddabe87d037a557a84be292a87747cb1271babcce0a51809523edb43cdc358cf8de07140292618b0c7de90
SSDEEP

6144:CcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQWBDhr3H:CcWkbgTYWnYnt/IDYhPLj

Score

10^/10

darkcomet ramnit usb banker evasion persistence rat spyware stealer trojan upx worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf.exe

Resource

win7-20221111-en

darkcomet ramnit usb banker evasion persistence rat spyware stealer trojan upx worm

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf.exe

Resource

win10v2004-20221111-en

darkcomet ramnit banker evasion persistence rat spyware stealer trojan upx worm

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

usb

C2

192.168.1.1:1604

87.252.66.185:1604

192.168.1.4:1604

192.168.1.2:1604

192.168.1.3:1604

192.168.1.5:1604

Mutex

DC_MUTEX-Z28DCY4

Attributes

InstallPath
winlogon/winlogon.exe *32
gencode
FgFBfDLSxflB
install
true
offline_keylogger
true
persistence
false
reg_key
winlogon.exe *32

Targets

- Target
  
  c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
- Size
  
  308KB
- MD5
  
  733874ca87d54ba711a1a366e9601261
- SHA1
  
  69fbaa4bb1f9f4b3736041f374d2f3f108672b38
- SHA256
  
  c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
- SHA512
  
  885524d4c8271fc1cc6daf6203abbcb182dcb349b8ddabe87d037a557a84be292a87747cb1271babcce0a51809523edb43cdc358cf8de07140292618b0c7de90
- SSDEEP
  
  6144:CcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQWBDhr3H:CcWkbgTYWnYnt/IDYhPLj
Score

10^/10

darkcomet ramnit usb banker evasion persistence rat spyware stealer trojan upx worm
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometramnitusbbankerevasionpersistenceratspywarestealertrojanupxworm

behavioral2

darkcometramnitbankerevasionpersistenceratspywarestealertrojanupxworm

© 2018-2024

Terms | Privacy