Overview

overview

10

Static

static

94956964d2...b7.exe

windows7-x64

10

94956964d2...b7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7

  • Size

    1.6MB

  • Sample

    221130-h3xv2sbg5v

  • MD5

    172b508f760ff844fc31e44d761d289c

  • SHA1

    a43ec1760b278bb434b6e61da41002d410a7aa5d

  • SHA256

    94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7

  • SHA512

    fbafbfa36796918ac64a4a5148ba5f14cc5536f2eb4ad052350420dc9b33ff457a15a21ba121accf463f62af7f6c37aceca70124df6c78f9401630c5daa15824

  • SSDEEP

    24576:4t+wU3uLfA7l+yUx+tRnCbSQnn8P2ubdWlm4yol+3L3aaQtpE4RYCOs:I831l+yUGzQn22WD4kb8tOs

Score
10/10
darkcometneshtaevasionpersistenceratspywarestealertrojan

Malware Config

Targets

    • Target

      94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7

    • Size

      1.6MB

    • MD5

      172b508f760ff844fc31e44d761d289c

    • SHA1

      a43ec1760b278bb434b6e61da41002d410a7aa5d

    • SHA256

      94956964d267c2391dd6799689b39054f320f8ff8b2f01c5985d63ffce910eb7

    • SHA512

      fbafbfa36796918ac64a4a5148ba5f14cc5536f2eb4ad052350420dc9b33ff457a15a21ba121accf463f62af7f6c37aceca70124df6c78f9401630c5daa15824

    • SSDEEP

      24576:4t+wU3uLfA7l+yUx+tRnCbSQnn8P2ubdWlm4yol+3L3aaQtpE4RYCOs:I831l+yUGzQn22WD4kb8tOs

    Score
    10/10
    darkcometneshtaevasionpersistenceratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Detect Neshta payload

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Change Default File Association

1
T1042

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks