Resubmissions

19-02-2024 05:10

240219-ftyd4shh9y 10

General

  • Target

    $$dinamikCristal$$.exe

  • Size

    746KB

  • Sample

    240219-ftyd4shh9y

  • MD5

    54090521d667d44350d72b066c6f242a

  • SHA1

    20424c81eb3b6bd68467333f7e45e60f7571518a

  • SHA256

    1c21cb19240f4e2b1ec3490c54a437b84345f41298ccc3d5c17fe8bf3dd16ba3

  • SHA512

    fde7c2f5f2558bf315e567898f93bffa9320670ebddb6bbba66541c3a93f21737398ed7d1dd134086bb9e9cdd00f580f434ac210dd68e57a371df855af3222bc

  • SSDEEP

    12288:jBdlwHRn+WlYV+8T+tkpeZuCWbKeYQjL7niHpwrcURuwSs/Y:jBkVdlYAKc1WmEjL7niHpwrcU2s/Y

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

4.tcp.eu.ngrok.io:16885

4.tcp.eu.ngrok.io:1604

Mutex

DC_MUTEX-Z4PMKKC

Attributes
  • gencode

    42mAfR1mKy33

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      $$dinamikCristal$$.exe

    • Size

      746KB

    • MD5

      54090521d667d44350d72b066c6f242a

    • SHA1

      20424c81eb3b6bd68467333f7e45e60f7571518a

    • SHA256

      1c21cb19240f4e2b1ec3490c54a437b84345f41298ccc3d5c17fe8bf3dd16ba3

    • SHA512

      fde7c2f5f2558bf315e567898f93bffa9320670ebddb6bbba66541c3a93f21737398ed7d1dd134086bb9e9cdd00f580f434ac210dd68e57a371df855af3222bc

    • SSDEEP

      12288:jBdlwHRn+WlYV+8T+tkpeZuCWbKeYQjL7niHpwrcURuwSs/Y:jBkVdlYAKc1WmEjL7niHpwrcU2s/Y

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies firewall policy service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks