Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

  • Size

    356KB

  • Sample

    221201-l3vmgabh6w

  • MD5

    6665f5e35cc8a79573b7a60f42793ad5

  • SHA1

    38f5f0131b63098f9fab7f6cdfb91b80999d4d94

  • SHA256

    3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

  • SHA512

    0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf

  • SSDEEP

    6144:BcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL378CfCY:BcW7KEZlPzCy378kC

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Extracted

Family

darkcomet

Botnet

nmp1

C2

nhatnhoa.no-ip.org:9998

Mutex

DC_MUTEX-6SF0UYS

Attributes
  • InstallPath

    MSDCSC\svhost.exe

  • gencode

    f9Jslnn1jp65

  • install

    true

  • offline_keylogger

    true

  • password

    jimmynmp

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

    • Size

      356KB

    • MD5

      6665f5e35cc8a79573b7a60f42793ad5

    • SHA1

      38f5f0131b63098f9fab7f6cdfb91b80999d4d94

    • SHA256

      3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

    • SHA512

      0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf

    • SSDEEP

      6144:BcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL378CfCY:BcW7KEZlPzCy378kC

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks