Overview

overview

10

Static

static

ef8b0ee815...c5.exe

windows7-x64

10

ef8b0ee815...c5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5

  • Size

    782KB

  • Sample

    221130-t8knfsbb51

  • MD5

    b7414bc01b68b41bb590f386f3ef043b

  • SHA1

    c2bcba593bb92ed31f62722a5092ce213ac597f5

  • SHA256

    ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5

  • SHA512

    d8f62814f09388317c3ee6ac2ad3b5cec9d81918d75d8f40384432b844f4610b399862d02c4cc1ea8a3d83a177714a24ab77837249490f4a16e078fcbb998f8c

  • SSDEEP

    24576:U51bZcLt7bY+oKJdi8vwIu2+Io4BermnaCM3GMm8Kw:Q1CffdPwIuWoMeC3M3GMma

Score
10/10
darkcometvictimapersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victima

C2

zxcasdqwe.no-ip.org:1604

Mutex

DC_MUTEX-TCE2J14

Attributes
  • InstallPath

    Firewall\Update.exe

  • gencode

    Pf1DBL8v2es4

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Update

Targets

    • Target

      ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5

    • Size

      782KB

    • MD5

      b7414bc01b68b41bb590f386f3ef043b

    • SHA1

      c2bcba593bb92ed31f62722a5092ce213ac597f5

    • SHA256

      ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5

    • SHA512

      d8f62814f09388317c3ee6ac2ad3b5cec9d81918d75d8f40384432b844f4610b399862d02c4cc1ea8a3d83a177714a24ab77837249490f4a16e078fcbb998f8c

    • SSDEEP

      24576:U51bZcLt7bY+oKJdi8vwIu2+Io4BermnaCM3GMm8Kw:Q1CffdPwIuWoMeC3M3GMma

    Score
    10/10
    darkcometvictimapersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks