Overview

overview

10

Static

static

c101131318...b2.exe

windows7-x64

10

c101131318...b2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2

  • Size

    605KB

  • Sample

    221203-cd3r4sed22

  • MD5

    68b23221d1af190c3bfadd23fc64e87d

  • SHA1

    1e6ae48e30d17c3e2acab6f1567ec2b380391e82

  • SHA256

    c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2

  • SHA512

    ebe0a16676545a37d5692b75abc552f35f69a14a4d04c0b12f9021fcbc14ca3fdb1c59b59ae2f5b58bc8bdb69e15a8e2d041d738fadbf23e02ab6de7087e55be

  • SSDEEP

    6144:g/sxRbSSN0fItQTG2BDqVMRs3HaMlFZqGT2/dSfLpkPHR39OL85GUS4rg:ggSYjOGk8AVHU85

Score
10/10
darkcometevasionpersistencerattrojanupx

Malware Config

Targets

    • Target

      c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2

    • Size

      605KB

    • MD5

      68b23221d1af190c3bfadd23fc64e87d

    • SHA1

      1e6ae48e30d17c3e2acab6f1567ec2b380391e82

    • SHA256

      c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2

    • SHA512

      ebe0a16676545a37d5692b75abc552f35f69a14a4d04c0b12f9021fcbc14ca3fdb1c59b59ae2f5b58bc8bdb69e15a8e2d041d738fadbf23e02ab6de7087e55be

    • SSDEEP

      6144:g/sxRbSSN0fItQTG2BDqVMRs3HaMlFZqGT2/dSfLpkPHR39OL85GUS4rg:ggSYjOGk8AVHU85

    Score
    10/10
    darkcometevasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies firewall policy service

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks