Overview

overview

10

Static

static

3

ce6de8599b...85.exe

windows7-x64

10

ce6de8599b...85.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ce6de8599b565fddf67ee026ee4bc285

  • Size

    232KB

  • Sample

    240316-s6mvcsfh73

  • MD5

    ce6de8599b565fddf67ee026ee4bc285

  • SHA1

    a6045faafaecb660b65d45759b13a38ea2a7ce23

  • SHA256

    427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351

  • SHA512

    192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71

  • SSDEEP

    3072:SNztnBlBp9ALvNKMKWqXs8NqU+xwDbUe2WpZJmXHB8zrYqHphTfBsbOEU0+rDGLh:SNJfRAzNK5W/1WRmR4r7JhuyE8wPQ

Score
10/10
darkcometlatentbotguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

trackingservice.zapto.org:1604

Mutex

DC_MUTEX-Q0QBNJA

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    ujn2qDPvmCGP

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

Extracted

Family

latentbot

C2

trackingservice.zapto.org

Targets

    • Target

      ce6de8599b565fddf67ee026ee4bc285

    • Size

      232KB

    • MD5

      ce6de8599b565fddf67ee026ee4bc285

    • SHA1

      a6045faafaecb660b65d45759b13a38ea2a7ce23

    • SHA256

      427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351

    • SHA512

      192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71

    • SSDEEP

      3072:SNztnBlBp9ALvNKMKWqXs8NqU+xwDbUe2WpZJmXHB8zrYqHphTfBsbOEU0+rDGLh:SNJfRAzNK5W/1WRmR4r7JhuyE8wPQ

    Score
    10/10
    darkcometlatentbotguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

      trojanlatentbot

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks