Overview

overview

10

Static

static

c8e486f97c...01.exe

windows7-x64

10

c8e486f97c...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c8e486f97ccbed92dbacadec7a9f597aeb297019b7d87bc2b1a8c89472582d01

  • Size

    1.3MB

  • Sample

    221130-1fmqnsbd5w

  • MD5

    20b3bb5dab2c77cf2501a765da1ba151

  • SHA1

    f286b9b0a86b1e4f0282fc1cb01fba3c20f6b5f4

  • SHA256

    c8e486f97ccbed92dbacadec7a9f597aeb297019b7d87bc2b1a8c89472582d01

  • SHA512

    2b971636d22e5ed6f13d46cbe8918772d05eeba1cc0af627998281c5d306b9508f7743ce59bfbe0e334133192c387e1a33d5f8b4d498b0e286fac69a5d0fc2f5

  • SSDEEP

    24576:+svBI6eGgoshFgsIvmblzOttPDwZfp144XARcXCojrtRd0VvX0M2jkLof6QMj:lkBWtupwNKrtsXMFfOj

Score
10/10
darkcomethfevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

synq.no-ip.biz:200

synq.no-ip.org:200

Synq.no-ip.org:200
Mutex

DC_MUTEX-NRAZ46Y

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    ZCPDhjlWW9Di

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    rundll32

Targets

    • Target

      c8e486f97ccbed92dbacadec7a9f597aeb297019b7d87bc2b1a8c89472582d01

    • Size

      1.3MB

    • MD5

      20b3bb5dab2c77cf2501a765da1ba151

    • SHA1

      f286b9b0a86b1e4f0282fc1cb01fba3c20f6b5f4

    • SHA256

      c8e486f97ccbed92dbacadec7a9f597aeb297019b7d87bc2b1a8c89472582d01

    • SHA512

      2b971636d22e5ed6f13d46cbe8918772d05eeba1cc0af627998281c5d306b9508f7743ce59bfbe0e334133192c387e1a33d5f8b4d498b0e286fac69a5d0fc2f5

    • SSDEEP

      24576:+svBI6eGgoshFgsIvmblzOttPDwZfp144XARcXCojrtRd0VvX0M2jkLof6QMj:lkBWtupwNKrtsXMFfOj

    Score
    10/10
    darkcomethfevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks