darkcomet

General

Target

02f7467c0a07153c0c9fec745a96f819.exe
Size

347KB
Sample

230307-vp83daah87
MD5

02f7467c0a07153c0c9fec745a96f819
SHA1

1f3b662f4597a97182134c542718a09ac14dbe53
SHA256

00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
SHA512

13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
SSDEEP

6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA

Score

10^/10

darkcomet quasar ---trens--office2010 persistence rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

---trens--

C2

qassar1122.ddns.net:2007

Mutex

QSR_MUTEX_MnRnXGbvBvn8Tkxj0A

Attributes

encryption_key
i4DXiO929iCJdpvsIcV3
install_name
Update service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
service update
subdirectory
microsofte

Extracted

Family

darkcomet

Botnet

office2010

C2

darck111.ddns.net:2006

Mutex

DCMIN_MUTEX-6C5K0B1

Attributes

gencode
v30h5qiY2jCx
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  02f7467c0a07153c0c9fec745a96f819.exe
- Size
  
  347KB
- MD5
  
  02f7467c0a07153c0c9fec745a96f819
- SHA1
  
  1f3b662f4597a97182134c542718a09ac14dbe53
- SHA256
  
  00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
- SHA512
  
  13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
- SSDEEP
  
  6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA
Score

10^/10

darkcomet quasar ---trens--office2010 persistence rat spyware trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies WinLogon for persistence

Quasar RAT

Quasar payload

Executes dropped EXE

UPX packed file

Uses the VBS compiler for execution

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2