Overview

overview

10

Static

static

10

aIW2IH.dll

windows7-x64

1

aIW2IH.dll

windows10-2004-x64

1

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5bedbc7b01e9410b81bad533aa109c61

  • Size

    300KB

  • Sample

    231226-h3s7vsahhk

  • MD5

    5bedbc7b01e9410b81bad533aa109c61

  • SHA1

    943afda92a3ef77c273bfecec0221f07b968409f

  • SHA256

    578d7d940ff36b07229bcdf71a38959622238179775d635d4029b8d844564029

  • SHA512

    f63dc072d6d0e124f90591470bc513b1acfde3f29d2842aa95e7418b770fa5e3634fd262b9699c21a3331dfe09dd628e12f5b01f0cebe4e2ebf52530d3c2b5cd

  • SSDEEP

    6144:jS1jaEHSqlqA1LFDUbv6+r8VjHYFCHirwlQ40/5S4OIHZK6DcIr00vU7AEO:jS1jaEoiLFYv6PYF1rwuY6Zvvbb

Score
10/10
darkcometpcevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

PC

C2

007makis.no-ip.biz:2222

Mutex

DC_MUTEX-5D09MVE

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    FzXJUDVGYqEE

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      aIW2IH.dll

    • Size

      30KB

    • MD5

      1932fcc66401dba172082eca32428a83

    • SHA1

      4e4a32a6a6d1baa21751137cab65f36b13853665

    • SHA256

      ff2a604fd002ec8dabfcee7c16e5a35e44cda0018b5484264fd4401dfe812662

    • SHA512

      a2e4c9288257d074cd4c4227cb312af4ed050ce12d90fcc4afb16026c0eaa83bc9ba99032f4e9ef45b354c2c5061c758a871d0d6725e8e82b57d169e02655e2e

    • SSDEEP

      768:wLE1YJgTCQc4nG9egmQ0l+unrWuTvdvGTPdGhU/P2:wLE1YJgOQcaG9ehr7WuTluRMU32

    Score
    1/10
    behavioral1behavioral2

    • Target

      loader.exe

    • Size

      725KB

    • MD5

      3470d16d89dd68f5675deaf0c23bf064

    • SHA1

      1d92007c88404853d186780fa03e4b288aa1e94e

    • SHA256

      87181320d943c94d972adfd701ead7aec15f2a5f0ff1d36288fe1e6b827e9463

    • SHA512

      391cb3287a081c6c347bc6d00d5c2c6d80bde774d3404eaaf85e22d5802bf9a24b737e454651478961e7325c4720a8e1ef4c87b866ddd3af351e07421edaf1ba

    • SSDEEP

      12288:N9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hAT:nZ1xuVVjfFoynPaVBUR8f+kN10EBG

    Score
    10/10
    darkcometpcevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks