Overview

overview

10

Static

static

aee9537368...d8.exe

windows7-x64

1

aee9537368...d8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8

  • Size

    1.0MB

  • Sample

    221203-srgpssfe9x

  • MD5

    c5c9a0332222e43d9573cc9c70c34355

  • SHA1

    4db65d1c88c123806aba5f4d6889bf4bfa25cca9

  • SHA256

    aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8

  • SHA512

    b18dc4b1fd763a0940ee48ebe3f17e88de23177b05429850d2d29288223d9466c42c163ab9b1c0ad431024b6b6a7cfa46790d8cce67a92a3d289d5f5de097498

  • SSDEEP

    12288:C2wr5i38VeUbBG7QUDcMBqD3cwkz7RZ/vCgC430iPigX5QOfenwa0bR+/UFQhf7c:V3kPOcEqDw3I4BTewauR/F8f9C14E

Score
10/10
darkcometvictimaevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victima

C2

mala-87.no-ip.org:1604

Mutex

DC_MUTEX-WFM1HME

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    1H10Q6SrzhVj

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8

    • Size

      1.0MB

    • MD5

      c5c9a0332222e43d9573cc9c70c34355

    • SHA1

      4db65d1c88c123806aba5f4d6889bf4bfa25cca9

    • SHA256

      aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8

    • SHA512

      b18dc4b1fd763a0940ee48ebe3f17e88de23177b05429850d2d29288223d9466c42c163ab9b1c0ad431024b6b6a7cfa46790d8cce67a92a3d289d5f5de097498

    • SSDEEP

      12288:C2wr5i38VeUbBG7QUDcMBqD3cwkz7RZ/vCgC430iPigX5QOfenwa0bR+/UFQhf7c:V3kPOcEqDw3I4BTewauR/F8f9C14E

    Score
    10/10
    darkcometvictimaevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks