Overview

overview

10

Static

static

5

8218115a8a...cs.exe

windows7-x64

10

8218115a8a...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8218115a8aa9fb8785be01107156c940_NeikiAnalytics

  • Size

    1.7MB

  • Sample

    240515-fjkp9saa8z

  • MD5

    8218115a8aa9fb8785be01107156c940

  • SHA1

    3432a7c2271ac540d77083c788b0a5048a2dbf39

  • SHA256

    a91e2068f86ec6aaa7915412ff2bae036b094da03f7f313c69a35670b76e03e4

  • SHA512

    1cffa31dee900a30b1c9da9c862e516eddbc41eecb01d62fb57fe8dbf024d199e43aca2e5ec9cfc4014fda2491b28ebcf685a95e6be887fec4c4dddde268f9a9

  • SSDEEP

    49152:7JZoQrbTFZY1iaC25HFPqaT6DsP5Vsu+h4ih5:7trbTA1nPeD8k5

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

moister.no-ip.org:1604

Mutex

DC_MUTEX-648J45J

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    8vkGu4g8AU6v

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    rundll32

Targets

    • Target

      8218115a8aa9fb8785be01107156c940_NeikiAnalytics

    • Size

      1.7MB

    • MD5

      8218115a8aa9fb8785be01107156c940

    • SHA1

      3432a7c2271ac540d77083c788b0a5048a2dbf39

    • SHA256

      a91e2068f86ec6aaa7915412ff2bae036b094da03f7f313c69a35670b76e03e4

    • SHA512

      1cffa31dee900a30b1c9da9c862e516eddbc41eecb01d62fb57fe8dbf024d199e43aca2e5ec9cfc4014fda2491b28ebcf685a95e6be887fec4c4dddde268f9a9

    • SSDEEP

      49152:7JZoQrbTFZY1iaC25HFPqaT6DsP5Vsu+h4ih5:7trbTA1nPeD8k5

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks