Overview

overview

10

Static

static

5

e924ac42c2...b9.exe

windows7-x64

10

e924ac42c2...b9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e924ac42c2776f4f205adf4ac16ac9f084268b9dbf98c62bb5332023b2e7afb9

  • Size

    1.3MB

  • Sample

    230130-azk33scf8w

  • MD5

    24042fbaddf020f75245eb4fbbb83c37

  • SHA1

    95701bd8e4290dae49be65f568474ec05f0e31bd

  • SHA256

    e924ac42c2776f4f205adf4ac16ac9f084268b9dbf98c62bb5332023b2e7afb9

  • SHA512

    7e7eda6d359c98a93142a534692471c855fec68f31ee32032046f5188c8110cfad60b1c8670bbe1f29b59dc33c2453e23b83d40cb07b1f8b4ad10960ac49d171

  • SSDEEP

    12288:ghkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aU0P/DbQhyUek4vIv5Okp3:oRmJkcoQricOIQxiZY1iaU0XDkAS1spa

Score
10/10
darkcomet11111evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

11111

C2

daynasmith.no-ip.biz:100

Mutex

DC_MUTEX-CZZNYJ8

Attributes
  • InstallPath

    explorer\explorer.exe

  • gencode

    u4Tprg0v4gJm

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    explorer.exe

Targets

    • Target

      e924ac42c2776f4f205adf4ac16ac9f084268b9dbf98c62bb5332023b2e7afb9

    • Size

      1.3MB

    • MD5

      24042fbaddf020f75245eb4fbbb83c37

    • SHA1

      95701bd8e4290dae49be65f568474ec05f0e31bd

    • SHA256

      e924ac42c2776f4f205adf4ac16ac9f084268b9dbf98c62bb5332023b2e7afb9

    • SHA512

      7e7eda6d359c98a93142a534692471c855fec68f31ee32032046f5188c8110cfad60b1c8670bbe1f29b59dc33c2453e23b83d40cb07b1f8b4ad10960ac49d171

    • SSDEEP

      12288:ghkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aU0P/DbQhyUek4vIv5Okp3:oRmJkcoQricOIQxiZY1iaU0XDkAS1spa

    Score
    10/10
    darkcomet11111evasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks