Overview

overview

10

Static

static

3

a795587152...16.exe

windows7-x64

10

a795587152...16.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a795587152419b35c1880ba782688016

  • Size

    1.3MB

  • Sample

    240226-232zjsaf45

  • MD5

    a795587152419b35c1880ba782688016

  • SHA1

    4701178e52fd1b14ae483dd69a89dd506b6cdfeb

  • SHA256

    452d8b86f670b835aad15c6cfc8a318b3ea378de24040e95a917aef4674ccd9d

  • SHA512

    1e63e14735f9af1dd94f67a9c0037d500008836f38742063e3e2fedd7fcbdab62447cc8178731d8c5380a45721a722da1697f15c62e082f1be54ab8894f4884e

  • SSDEEP

    24576:iQg65nDiUy93pcpA/7ymBGDEIda6VXj4a2f9v4zmgQnkYag5Hom5pzvnenYEs:iQgMXy95uAToEIda6eag4zmIYaeHtpyi

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

colorlife.no-ip.biz:1604

Mutex

DC_MUTEX-PZSNDRX

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Z4l2FD0l43nV

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      a795587152419b35c1880ba782688016

    • Size

      1.3MB

    • MD5

      a795587152419b35c1880ba782688016

    • SHA1

      4701178e52fd1b14ae483dd69a89dd506b6cdfeb

    • SHA256

      452d8b86f670b835aad15c6cfc8a318b3ea378de24040e95a917aef4674ccd9d

    • SHA512

      1e63e14735f9af1dd94f67a9c0037d500008836f38742063e3e2fedd7fcbdab62447cc8178731d8c5380a45721a722da1697f15c62e082f1be54ab8894f4884e

    • SSDEEP

      24576:iQg65nDiUy93pcpA/7ymBGDEIda6VXj4a2f9v4zmgQnkYag5Hom5pzvnenYEs:iQgMXy95uAToEIda6eag4zmIYaeHtpyi

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks