Resubmissions

29-12-2022 03:55

221229-egv8jscc62 10

29-12-2022 02:33

221229-c2aq8scb84 10

29-12-2022 02:31

221229-czzycafc3x 3

29-12-2022 02:26

221229-cw5pescb73 3

General

  • Target

    Bhop Leo X 24 Febrero.rar

  • Size

    32.8MB

  • Sample

    221229-egv8jscc62

  • MD5

    318567a5b9b9c776c27b052c5d504e6b

  • SHA1

    060cb6c12a4e1f066c71eac1f3175b776a64049b

  • SHA256

    350ff935460423d34cfc24b2624ff9d9fa42f7840782cdd0bb26f14c2298c1e3

  • SHA512

    c7d1a0c5adb48dec802101431b487c3b5300be183d9f5d2866f9eb9345737217edbf9ef6315a949233e16e9eca9cc05bd779baa2943e519df9c7ba2aaa7c5895

  • SSDEEP

    786432:B5pvNLGHLzk+AdzlrzY5Jg9+Wwd7B5E7GxXhtNTVG:1Y3k+K+/g9+Wi95EOrNTVG

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes
  • InstallPath

    AudioDriver\taskhost.exe

  • gencode

    EWSsWwgyJrUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    AudioDriver

Targets

    • Target

      Bhop Leo X 24 Febrero.rar

    • Size

      32.8MB

    • MD5

      318567a5b9b9c776c27b052c5d504e6b

    • SHA1

      060cb6c12a4e1f066c71eac1f3175b776a64049b

    • SHA256

      350ff935460423d34cfc24b2624ff9d9fa42f7840782cdd0bb26f14c2298c1e3

    • SHA512

      c7d1a0c5adb48dec802101431b487c3b5300be183d9f5d2866f9eb9345737217edbf9ef6315a949233e16e9eca9cc05bd779baa2943e519df9c7ba2aaa7c5895

    • SSDEEP

      786432:B5pvNLGHLzk+AdzlrzY5Jg9+Wwd7B5E7GxXhtNTVG:1Y3k+K+/g9+Wi95EOrNTVG

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Command and Control

Web Service

1
T1102

Tasks