General

  • Target

    675f484e4d1852fe8a5a975c4da91b6a

  • Size

    6.9MB

  • Sample

    240119-mendxscfe3

  • MD5

    675f484e4d1852fe8a5a975c4da91b6a

  • SHA1

    91ef9f1b8f73cec6dddbbfe92ac1d2eb75707e60

  • SHA256

    6b5ac54f40652b3af8f38925fcece413f078c17e4a02ef7982005ee99fc82d8c

  • SHA512

    aa27059f0b4a92ddf359a1d79bf269238ea372145f1f84c9b2da8b81a10c94a87c5297725599cd409057fd38d7b802a7eb8e0df032eebafb679688a5bbecfae6

  • SSDEEP

    49152:dJjN9IQEiXmJPpVy75Jr5k1YJmWg7EMHodnnJ3qXwMG37VpQA226twgB3gVRWLYj:XnIQEiGM5ShBK2Aud9dr

Malware Config

Extracted

Family

darkcomet

Botnet

2021New-August-99-2

C2

andronmatskiv20.sytes.net:35887

Mutex

DC_MUTEX-5YG014U

Attributes
  • InstallPath

    office64.exe

  • gencode

    WxE6GmqrzCUo

  • install

    true

  • offline_keylogger

    false

  • password

    hhhhhh

  • persistence

    true

  • reg_key

    winoffice

Targets

    • Target

      675f484e4d1852fe8a5a975c4da91b6a

    • Size

      6.9MB

    • MD5

      675f484e4d1852fe8a5a975c4da91b6a

    • SHA1

      91ef9f1b8f73cec6dddbbfe92ac1d2eb75707e60

    • SHA256

      6b5ac54f40652b3af8f38925fcece413f078c17e4a02ef7982005ee99fc82d8c

    • SHA512

      aa27059f0b4a92ddf359a1d79bf269238ea372145f1f84c9b2da8b81a10c94a87c5297725599cd409057fd38d7b802a7eb8e0df032eebafb679688a5bbecfae6

    • SSDEEP

      49152:dJjN9IQEiXmJPpVy75Jr5k1YJmWg7EMHodnnJ3qXwMG37VpQA226twgB3gVRWLYj:XnIQEiGM5ShBK2Aud9dr

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks