darkcomet | b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964 | Triage

Submit
Reports

Overview

overview

Static

static

b4d47dffea...64.exe

windows7-x64

b4d47dffea...64.exe

windows10-2004-x64

Sharing

General

Target

b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
Size

814KB
Sample

221130-w7je4sea43
MD5

74230b48a3527617281d77d88a876591
SHA1

eb36e4e7a0a4a18cafe4405988542f3742aee86e
SHA256

b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
SHA512

b3275c8f4d4069f81ac5467d641ef9fc7b36de8fcdfd97d2e47c22a3c894a494dc143cb4d5a4da85434f9d38a636ea2b31151c06e7d8f32f582fef0497dc9aec
SSDEEP

12288:LifsksSl+IUfUGkk0lzSqfJhUIgWc4S5m48kA+WWgNhUO2NncLBwvgRTGJIKW3/u:eHZUZNaqWHgRRORBwvgRuS/81L

Score

10^/10

darkcomet modiloader server persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe

Resource

win7-20220901-en

darkcomet modiloader server persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964.exe

Resource

win10v2004-20220901-en

darkcomet modiloader server persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Server

C2

thaneveenz.no-ip.biz:1604

Mutex

DC_MUTEX-NZWP5K5

Attributes

InstallPath
Program Files\winupdate\winupdate.exe
gencode
7Jojid436QAA
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
- Size
  
  814KB
- MD5
  
  74230b48a3527617281d77d88a876591
- SHA1
  
  eb36e4e7a0a4a18cafe4405988542f3742aee86e
- SHA256
  
  b4d47dffea5885e4a5a9b7d329949d2523fa6e528d24333f8ef719bbe5d71964
- SHA512
  
  b3275c8f4d4069f81ac5467d641ef9fc7b36de8fcdfd97d2e47c22a3c894a494dc143cb4d5a4da85434f9d38a636ea2b31151c06e7d8f32f582fef0497dc9aec
- SSDEEP
  
  12288:LifsksSl+IUfUGkk0lzSqfJhUIgWc4S5m48kA+WWgNhUO2NncLBwvgRTGJIKW3/u:eHZUZNaqWHgRRORBwvgRuS/81L
Score

10^/10

darkcomet modiloader server persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- ModiLoader Second Stage
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometmodiloaderserverpersistencerattrojan

behavioral2

darkcometmodiloaderserverpersistencerattrojan

© 2018-2024

Terms | Privacy