Overview

overview

10

Static

static

7

96ee0f0843...55.exe

windows7-x64

10

96ee0f0843...55.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96ee0f084354988d85b39b85d3447055

  • Size

    446KB

  • Sample

    240212-mfq67scf99

  • MD5

    96ee0f084354988d85b39b85d3447055

  • SHA1

    5d91d785942d0ef20fe70b050b02c66509ff9626

  • SHA256

    b631129fa4689aed881c581f2cb0f68077569ed7556ff55b72c6ab68a598e207

  • SHA512

    ca49c5396d9cd18db27222f0684d80e858f3118dba704950de7b4201fa754e5fdbb0bdd60f028c37fea72427a0d03f920c1e78e9cda4e72146684f1341f419f7

  • SSDEEP

    6144:cDYZeUustkCXhKtq92Be87GzJ1QiH04B1LB/tG9KUaoH8zQwfI3rH4+dYDlj0WvW:DeU5t5ItqXwYt29TKI7HLQ+13

Score
10/10
darkcometguest16evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

sameg.no-ip.biz:1604

Mutex

DC_MUTEX-X2Y76GJ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Hoscy7HZWiFS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      96ee0f084354988d85b39b85d3447055

    • Size

      446KB

    • MD5

      96ee0f084354988d85b39b85d3447055

    • SHA1

      5d91d785942d0ef20fe70b050b02c66509ff9626

    • SHA256

      b631129fa4689aed881c581f2cb0f68077569ed7556ff55b72c6ab68a598e207

    • SHA512

      ca49c5396d9cd18db27222f0684d80e858f3118dba704950de7b4201fa754e5fdbb0bdd60f028c37fea72427a0d03f920c1e78e9cda4e72146684f1341f419f7

    • SSDEEP

      6144:cDYZeUustkCXhKtq92Be87GzJ1QiH04B1LB/tG9KUaoH8zQwfI3rH4+dYDlj0WvW:DeU5t5ItqXwYt29TKI7HLQ+13

    Score
    10/10
    darkcometguest16evasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Molebox Virtualization software

      Detects file using Molebox Virtualization software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks