Overview

overview

10

Static

static

8

b00873e057...11.exe

windows7-x64

10

b00873e057...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411

  • Size

    411KB

  • Sample

    221201-l984fahb23

  • MD5

    8ad534532990d0621cf1786d380ae9dd

  • SHA1

    9c1ccd4ff0874f2912dadebd318bf44886d9f1f4

  • SHA256

    b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411

  • SHA512

    3a36a93740e2cd8805372522bfe7149802f0891977e2a0dbb2b50362966fa586e4854807bdabcdc9fdd34a40908d607343cfda1a2c27174b8aeaea4ee296c7dc

  • SSDEEP

    12288:mlghoSqHNJ/Jj0l5e7kurPQHr5wv1hlajScDlu:sg2HNb0lM7z0Wv6Dlu

Score
10/10
darkcometmainevasionrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Main

C2

youknowwhat.zapto.org:8568

Mutex

DC_MUTEX-RSSVB20

Attributes
  • gencode

    1cfcWSgmK4PV

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411

    • Size

      411KB

    • MD5

      8ad534532990d0621cf1786d380ae9dd

    • SHA1

      9c1ccd4ff0874f2912dadebd318bf44886d9f1f4

    • SHA256

      b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411

    • SHA512

      3a36a93740e2cd8805372522bfe7149802f0891977e2a0dbb2b50362966fa586e4854807bdabcdc9fdd34a40908d607343cfda1a2c27174b8aeaea4ee296c7dc

    • SSDEEP

      12288:mlghoSqHNJ/Jj0l5e7kurPQHr5wv1hlajScDlu:sg2HNb0lM7z0Wv6Dlu

    Score
    10/10
    darkcometmainevasionrattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks