Overview

overview

10

Static

static

3

A1DB2JVWGG.CNT.exe

windows7-x64

10

A1DB2JVWGG.CNT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    A1DB2JVWGG.CNT.exe

  • Size

    2.1MB

  • Sample

    230602-aq6y7aha97

  • MD5

    a7817732eded62797b0c5e9da109edd7

  • SHA1

    e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb

  • SHA256

    95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

  • SHA512

    3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01

  • SSDEEP

    24576:tA74/4qimDN0nixgBQcZ+WtGsK0i+CqBRCJcbpaa4S7qeL7pjhlyIy6Vs6wGpYUa:tA74/t6FQcZ+WRs+BRL4ShjTyIF

Score
10/10
darkcometnanocorejune 2023evasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

JUNE 2023

C2

timmy08.ddns.net:39399

Mutex

DC_MUTEX-75NC51J

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    l2V3BCJaaFmA

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    chrome

Extracted

Family

nanocore

Version

1.2.2.0

C2

timmy08.ddns.net:28289

timmy06.ddns.net:28289
Mutex

29684d78-e3d5-43d3-a123-9a499c3134c7

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    timmy06.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-03-13T20:49:24.260578036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    28289

  • default_group

    JUNE 2023

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    29684d78-e3d5-43d3-a123-9a499c3134c7

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    timmy08.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      A1DB2JVWGG.CNT.exe

    • Size

      2.1MB

    • MD5

      a7817732eded62797b0c5e9da109edd7

    • SHA1

      e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb

    • SHA256

      95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d

    • SHA512

      3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01

    • SSDEEP

      24576:tA74/4qimDN0nixgBQcZ+WtGsK0i+CqBRCJcbpaa4S7qeL7pjhlyIy6Vs6wGpYUa:tA74/t6FQcZ+WRs+BRL4ShjTyIF

    Score
    10/10
    darkcometnanocorejune 2023evasionkeyloggerpersistenceratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies security service

      evasion

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Windows security bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks