Overview

overview

10

Static

static

10

Ricardo.exe

windows7-x64

10

Ricardo.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2e7bbf33efc80765f8340a57896ff8754f52a1290146d6fb8da389556146aad

  • Size

    246KB

  • Sample

    230822-srzklsdb52

  • MD5

    d9900b823e1fcc2ff39f260f8a45a9b1

  • SHA1

    493b72f70cb1c03cd6f0fd89c816e9a055084382

  • SHA256

    a2e7bbf33efc80765f8340a57896ff8754f52a1290146d6fb8da389556146aad

  • SHA512

    a5fe31249fccce738ebc2550e83f64ae891dbd7c6333cb85737e0b2720de7e92fb06cb34abeb35316e4e8a7d11efb51cc803788282f74cf3f258860b8a9aadb8

  • SSDEEP

    6144:O2e3jz1Wb0hOUnl0sa0GLIKG4L4NZ43VRvu:OrWbpClnbC1kMVR2

Score
10/10
darkcometguest16evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

0.tcp.eu.ngrok.io:14265

0.tcp.eu.ngrok.io:1604
Mutex

DC_MUTEX-X8BTBKK

Attributes
  • InstallPath

    Java\java.exe

  • gencode

    Bx5rj4H5djuS

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    Java

Targets

    • Target

      Ricardo.exe

    • Size

      252KB

    • MD5

      977eb155f21ccfb50bd210e133705602

    • SHA1

      152175de57511c0a991c8aae8fc6bd352eab852c

    • SHA256

      b42fadd40a04fceb97188af289a55b787c781245ae2bf44e6acaa083e5cb93a2

    • SHA512

      20bf1d9ad6b8e75bb65e6c051965c2599a78bd9f5a7b184a5b2e0c14ef4c62590a1c71b162a4e80e2ef5583b41b40600a3774df65c665117af3b84f26261d0b1

    • SSDEEP

      6144:6cNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQ:6cWkbgTYWnYnt/IDYhP

    Score
    10/10
    darkcometguest16evasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

7
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks