darkcomet | d4abee16fb8f06376c64df9595c24b5c7d8c292bf49280b46113dba9219f80a9

Sharing

Copy URL

Twitter E-mail

General

Target

d4abee16fb8f06376c64df9595c24b5c7d8c292bf49280b46113dba9219f80a9
Size

351KB
MD5

11d49b7b599a5b8964db992c20799e43
SHA1

6ebdbbc391708e602378ce901f7e7b2ff4a2e533
SHA256

d4abee16fb8f06376c64df9595c24b5c7d8c292bf49280b46113dba9219f80a9
SHA512

ebe406d7f76baa5131daa6bfb2db1e3768577c27f601b3cda015482c6061032f7c2b1cd714062f4d9382e483f521c13fea642fd551e6fc2ce205581b6ac6573e
SSDEEP

6144:lvvYyFgDMY50EKXpRtdcNW4euiC2BOWrmZO5ReLZRcsDnvAJ/F/sp3VrUKcKk:lIR50EgpRtKNpcC2BkA5RefDvAJ9/spI

Score

10^/10

upx guest16 darkcomet

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

10.10.0.100:1604

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
gT3AYpfW5Hj0
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet family
darkcomet

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
static1/unpack001/d9d705a576cd648367347144e2bbacd697982b703fb0fdec295e5cd81968a858.exe	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/d9d705a576cd648367347144e2bbacd697982b703fb0fdec295e5cd81968a858.exe

Files

d4abee16fb8f06376c64df9595c24b5c7d8c292bf49280b46113dba9219f80a9
.zip

Password: infected
d9d705a576cd648367347144e2bbacd697982b703fb0fdec295e5cd81968a858.exe
.exe windows:4 windows x86 arch:x86

2750597d6fc29423ecf0a5ce3d3fc4a2

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

user32

AnimateWindow
EnumDisplayMonitors
GetMonitorInfoA

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

kernel32

lstrcpy
WriteProcessMemory
WriteFile
WinExec
WaitForSingleObject
WaitForMultipleObjectsEx
VirtualQuery
VirtualProtectEx
VirtualProtect
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
VerLanguageNameA
UnmapViewOfFile
TerminateProcess
SizeofResource
SetThreadPriority
SetThreadLocale
SetThreadContext
SetLastError
SetFileTime
SetFilePointer
SetFileAttributesA
SetEvent
SetErrorMode
SetEndOfFile
ResumeThread
ResetEvent
ReadProcessMemory
ReadFile
PeekNamedPipe
OpenProcess
MultiByteToWideChar
MulDiv
MoveFileA
MapViewOfFile
LockResource
LocalFileTimeToFileTime
LocalAlloc
LoadResource
LoadLibraryA
LeaveCriticalSection
IsBadReadPtr
InitializeCriticalSection
HeapFree
HeapAlloc
GlobalUnlock
GlobalMemoryStatus
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetWindowsDirectoryA
GetVolumeInformationA
GetVersionExA
GetVersion
GetUserDefaultLangID
GetTickCount
GetThreadLocale
GetThreadContext
GetTempPathA
GetSystemPowerStatus
GetSystemDirectoryA
GetStdHandle
GetProcessHeap
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileTime
GetFileSize
GetFileAttributesA
GetExitCodeThread
GetExitCodeProcess
GetEnvironmentVariableA
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetComputerNameA
GetCPInfo
FreeResource
InterlockedIncrement
InterlockedExchange
InterlockedDecrement
FreeLibrary
FormatMessageA
FindResourceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
ExitProcess
EnumResourceNamesA
EnumCalendarInfoA
EnterCriticalSection
DosDateTimeToFileTime
DeleteFileA
DeleteCriticalSection
CreateThread
CreateRemoteThread
CreateProcessA
CreatePipe
CreateMutexA
CreateFileMappingA
CreateFileA
CreateEventA
CreateDirectoryA
CopyFileA
CompareStringA
CloseHandle
Beep
Sleep
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess

advapi32

RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyA
RegFlushKey
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueA
LookupPrivilegeNameA
LookupPrivilegeDisplayNameA
LookupAccountSidA
IsValidSid
GetUserNameA
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
GetCurrentHwProfileA
AdjustTokenPrivileges
StartServiceA
QueryServiceStatus
OpenServiceA
OpenSCManagerA
EnumServicesStatusA
DeleteService
CreateServiceA
ControlService
CloseServiceHandle
IsValidSid

wsock32

__WSAFDIsSet
WSACleanup
WSAStartup
WSAGetLastError
gethostname
getservbyname
gethostbyname
gethostbyaddr
socket
shutdown
sendto
send
select
recv
htons
listen
ioctlsocket
inet_ntoa
inet_addr
htons
getsockname
connect
closesocket
bind

combase

CoTaskMemFree
StringFromCLSID
CoTaskMemFree
CLSIDFromProgID
ProgIDFromCLSID
StringFromCLSID
CoCreateInstance
CoUninitialize

shell32

ShellExecuteEx
ShellExecuteA
SHGetFileInfo
SHFileOperation
DragQueryFile
SHGetSpecialFolderLocation
SHGetPathFromIDList
SHEmptyRecycleBinA
ShellExecuteA

oleaut32

GetErrorInfo
GetActiveObject
SysFreeString
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
VariantCopy

ole32

CoInitialize
IsEqualGUID
IsEqualGUID

urlmon

URLDownloadToFileA
URLDownloadToFileA

comctl32

_TrackMouseEvent
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_DragShowNolock
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
ImageList_Add

wininet

InternetOpenUrlA
InternetOpenA
InternetConnectA
InternetCloseHandle
FtpPutFileA
FtpPutFileA

winmm

waveInUnprepareHeader
waveInStart
waveInReset
waveInPrepareHeader
waveInOpen
waveInClose
waveInAddBuffer
PlaySoundA
mciSendStringA
waveInOpen

netapi32

Netbios
NetApiBufferFree
NetShareGetInfo
NetShareEnum
Netbios

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdipDrawImageRectI
GdipSetInterpolationMode
GdipDeleteGraphics
GdipCreateBitmapFromHBITMAP
GdipCreateBitmapFromScan0
GdipGetImagePixelFormat
GdipGetImageGraphicsContext
GdipSaveImageToStream
GdipDisposeImage
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc
GdipFree

msacm32

acmStreamUnprepareHeader
acmStreamPrepareHeader
acmStreamConvert
acmStreamReset
acmStreamSize
acmStreamClose
acmStreamOpen
acmStreamSize

ntdll

NtQuerySystemInformation
NtUnmapViewOfSection
NtUnmapViewOfSection
NtQuerySystemInformation

ws2_32

WSAIoctl
WSAIoctl
send

shfolder

SHGetFolderPathA
SHGetFolderPathA

avicap32

capGetDriverDescriptionA
capGetDriverDescriptionA

gdi32

SaveDC

Sections

UPX0
Size: 580KB - Virtual size: 580KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX1
Size: 248KB - Virtual size: 248KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 123KB - Virtual size: 123KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

2750597d6fc29423ecf0a5ce3d3fc4a2

Headers

File Characteristics

Imports

user32

version

kernel32

advapi32

wsock32

combase

shell32

oleaut32

ole32

urlmon

comctl32

wininet

winmm

netapi32

gdiplus

msacm32

ntdll

ws2_32

shfolder

avicap32

gdi32

Sections

UPX0 Size: 580KB - Virtual size: 580KB

UPX1 Size: 248KB - Virtual size: 248KB

.rsrc Size: 123KB - Virtual size: 123KB

UPX0
Size: 580KB - Virtual size: 580KB

UPX1
Size: 248KB - Virtual size: 248KB

.rsrc
Size: 123KB - Virtual size: 123KB