Overview

overview

10

Static

static

10

cae4a7b8cd...6a.exe

windows7-x64

10

cae4a7b8cd...6a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cae4a7b8cdb6fb668682d466b33d1bed6fadccd96fe39ccf18362aae6d03746a

  • Size

    749KB

  • Sample

    221201-lxheysfh39

  • MD5

    f21b50008f7b80420eb4b47761a284c4

  • SHA1

    7a12185d5c6904dc4cf76d57cb137f71ac76947d

  • SHA256

    cae4a7b8cdb6fb668682d466b33d1bed6fadccd96fe39ccf18362aae6d03746a

  • SHA512

    33d68a60e8675cd1b6b84b32318fec815f4d37120ea2df8b950c410d7cc37be98a98729cfa9c13cdcb95ec5b8edba1644a39eabdb85253ee47a35c2577c061a4

  • SSDEEP

    12288:l9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hg4pjvcz:vZ1xuVVjfFoynPaVBUR8f+kN10EB5jv0

Score
10/10
darkcomethfpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

127.0.0.1:83

127.0.0.1:1604

thailandhack.no-ip.org:1604
Mutex

DC_MUTEX-Q91687Y

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    AZDzCddgYAPM

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      cae4a7b8cdb6fb668682d466b33d1bed6fadccd96fe39ccf18362aae6d03746a

    • Size

      749KB

    • MD5

      f21b50008f7b80420eb4b47761a284c4

    • SHA1

      7a12185d5c6904dc4cf76d57cb137f71ac76947d

    • SHA256

      cae4a7b8cdb6fb668682d466b33d1bed6fadccd96fe39ccf18362aae6d03746a

    • SHA512

      33d68a60e8675cd1b6b84b32318fec815f4d37120ea2df8b950c410d7cc37be98a98729cfa9c13cdcb95ec5b8edba1644a39eabdb85253ee47a35c2577c061a4

    • SSDEEP

      12288:l9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hg4pjvcz:vZ1xuVVjfFoynPaVBUR8f+kN10EB5jv0

    Score
    10/10
    darkcomethfpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks