General

  • Target

    d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5

  • Size

    343KB

  • Sample

    221203-ep2ejagd5y

  • MD5

    c6551e869e75447e6456095e6c6aeced

  • SHA1

    44b79feb248f0c1d68e9f4f61f43050280e8672a

  • SHA256

    d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5

  • SHA512

    965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe

  • SSDEEP

    6144:fUPCHRSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JCl+aL5n:Xx2GiGMBHqhYOJONtMCesfXlKXll

Malware Config

Extracted

Family

darkcomet

Botnet

13.07.12 Crypter

C2

leetaka1337.no-ip.org:1604

Mutex

DC_MUTEX-JFX5RP1

Attributes
  • InstallPath

    MSDCSC\winhost.exe

  • gencode

    lCnq6VNbar2M

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5

    • Size

      343KB

    • MD5

      c6551e869e75447e6456095e6c6aeced

    • SHA1

      44b79feb248f0c1d68e9f4f61f43050280e8672a

    • SHA256

      d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5

    • SHA512

      965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe

    • SSDEEP

      6144:fUPCHRSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JCl+aL5n:Xx2GiGMBHqhYOJONtMCesfXlKXll

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks