Overview

overview

10

Static

static

fff04b5cd9...0d.exe

windows7-x64

10

fff04b5cd9...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d

  • Size

    2.6MB

  • Sample

    221203-cth3msfe59

  • MD5

    10c0e1e14e177d1486d99c3a91d84969

  • SHA1

    c0b90a929ff7a8c1c14ee554f2cc55a39605217e

  • SHA256

    fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d

  • SHA512

    2d83e9fd63d40c2ee020c63878e2c5e421944a458f516741cfefa539de3649f59e3c64dfeab3496dd8c291a4f9756cc37cc3fe5f59d2e861e5a8553f417d3237

  • SSDEEP

    49152:Txjs/ylV/q8f7NHOiCR577tOReeel4+GnBdJFEwks51SjaU7/fMP0:TxcylVyABa5PgdFZnBtE+10

Score
10/10
darkcomet±ö¿í16bootkitevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

±ö¿Í16

C2

heiseyinmou.gnway.net:2012

Mutex

DC_MUTEX-F4ZWV0U

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    czMVsH3hot1Q

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    ΢�͸���

Targets

    • Target

      fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d

    • Size

      2.6MB

    • MD5

      10c0e1e14e177d1486d99c3a91d84969

    • SHA1

      c0b90a929ff7a8c1c14ee554f2cc55a39605217e

    • SHA256

      fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d

    • SHA512

      2d83e9fd63d40c2ee020c63878e2c5e421944a458f516741cfefa539de3649f59e3c64dfeab3496dd8c291a4f9756cc37cc3fe5f59d2e861e5a8553f417d3237

    • SSDEEP

      49152:Txjs/ylV/q8f7NHOiCR577tOReeel4+GnBdJFEwks51SjaU7/fMP0:TxcylVyABa5PgdFZnBtE+10

    Score
    10/10
    darkcomet±ö¿í16bootkitevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks