Overview

overview

10

Static

static

e8acd36b26...63.exe

windows7-x64

10

e8acd36b26...63.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263

  • Size

    1.4MB

  • Sample

    221130-yg8y7ahh96

  • MD5

    867a94427df23e7400f1912e0054c02e

  • SHA1

    c8004ee0f6895757e6e3c391100b09ca6fedacc3

  • SHA256

    e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263

  • SHA512

    a2ef02dd014ab123d372b9925b86e352cc1324cb0ebc8838f94e52243fef2d867a49ad132e8c7e35b983d9395b7140e4a454f4dfa20d17aad7de6ee04fce579d

  • SSDEEP

    24576:V6f6UcjbYmVn3hITCmvOTggIRfmQX3zRYC6FVZPv+FWe4Ys/E:V861jnJgjYlDZ3+UT/E

Score
10/10
darkcometgygepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

gyge

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-CZGVNEU

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    2uuQwotMFJj1

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263

    • Size

      1.4MB

    • MD5

      867a94427df23e7400f1912e0054c02e

    • SHA1

      c8004ee0f6895757e6e3c391100b09ca6fedacc3

    • SHA256

      e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263

    • SHA512

      a2ef02dd014ab123d372b9925b86e352cc1324cb0ebc8838f94e52243fef2d867a49ad132e8c7e35b983d9395b7140e4a454f4dfa20d17aad7de6ee04fce579d

    • SSDEEP

      24576:V6f6UcjbYmVn3hITCmvOTggIRfmQX3zRYC6FVZPv+FWe4Ys/E:V861jnJgjYlDZ3+UT/E

    Score
    10/10
    darkcometgygepersistenceratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks