Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    NEAS.8b48a1b5a19cb1e67f43c81386fa26d0.exe

  • Size

    325KB

  • Sample

    231101-rj6taafd67

  • MD5

    8b48a1b5a19cb1e67f43c81386fa26d0

  • SHA1

    bb8d38a056d805d0f10fbdbe810f968ff3b9d184

  • SHA256

    39b902c7f2684b5faf01bb3872ddd4fd4066f15553e6b009a9be0fef85928b2c

  • SHA512

    361cac8ab1d20df90dd498c6cee0f0b0a8a1716b88a0ce437c48defe16c48e416bb3a4e75e97d659fe06d10c26d5dbc0b08a1146283265e8c1da6c744883c2e7

  • SSDEEP

    6144:ZYgZdcJZs091uPFP1QpCT0LurJH1l3ZwzaKAG6cz9eswTfmr/yruO:ZY1JKIMlypCgiFJxlcz9eswT0hO

Malware Config

Extracted

Family

darkcomet

Botnet

WXXXXW

C2

euro2012.no-ip.org:22

euro2012.no-ip.org:3389

euro2012.no-ip.org:5631

Mutex

DC_MUTEX-X2H0E82

Attributes
  • InstallPath

    Debug\msdcsc.exe

  • gencode

    F4JVWk9c0ekU

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      NEAS.8b48a1b5a19cb1e67f43c81386fa26d0.exe

    • Size

      325KB

    • MD5

      8b48a1b5a19cb1e67f43c81386fa26d0

    • SHA1

      bb8d38a056d805d0f10fbdbe810f968ff3b9d184

    • SHA256

      39b902c7f2684b5faf01bb3872ddd4fd4066f15553e6b009a9be0fef85928b2c

    • SHA512

      361cac8ab1d20df90dd498c6cee0f0b0a8a1716b88a0ce437c48defe16c48e416bb3a4e75e97d659fe06d10c26d5dbc0b08a1146283265e8c1da6c744883c2e7

    • SSDEEP

      6144:ZYgZdcJZs091uPFP1QpCT0LurJH1l3ZwzaKAG6cz9eswTfmr/yruO:ZY1JKIMlypCgiFJxlcz9eswT0hO

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks