Overview

overview

10

Static

static

1

omgf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    omgf.exe

  • Size

    334KB

  • Sample

    230408-lhtvfacf82

  • MD5

    94417934059ba8724ff5933a244441da

  • SHA1

    3ac2b1bb84efd7284650ebb25c2a60d4665e8785

  • SHA256

    d530105c5a60d787d0060424b996e547f3db4b2cfd12d1320d56f3b59a2f34e3

  • SHA512

    3a7e6f666bbfc7b054f7d351c54915e16f57339628682fa5ac628619fb6b74e3216a53c79d861ac9f80e211f1df055e7f41f9bd4f83da49ef5883b854e8c2b68

  • SSDEEP

    6144:UMMWJH007FoGoyy3GSrsM/XII6aN2Z1sVd+SK6brDgNqpbn+UnCP8NBKKhcKXbJ:pJH0NGoyYYB7Z10s+DgNqR+T8NBKebJ

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

147.185.221.212:46856

Mutex

DC_MUTEX-F4BY55C

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    K5uLvFjyQEWC

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      omgf.exe

    • Size

      334KB

    • MD5

      94417934059ba8724ff5933a244441da

    • SHA1

      3ac2b1bb84efd7284650ebb25c2a60d4665e8785

    • SHA256

      d530105c5a60d787d0060424b996e547f3db4b2cfd12d1320d56f3b59a2f34e3

    • SHA512

      3a7e6f666bbfc7b054f7d351c54915e16f57339628682fa5ac628619fb6b74e3216a53c79d861ac9f80e211f1df055e7f41f9bd4f83da49ef5883b854e8c2b68

    • SSDEEP

      6144:UMMWJH007FoGoyy3GSrsM/XII6aN2Z1sVd+SK6brDgNqpbn+UnCP8NBKKhcKXbJ:pJH0NGoyYYB7Z10s+DgNqR+T8NBKebJ

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks