Overview

overview

10

Static

static

10

po.exe

windows7-x64

10

out.exe

windows7-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    po.com

  • Size

    349KB

  • Sample

    240522-xg13xacg33

  • MD5

    7322122846be9637275020846c5fb0d2

  • SHA1

    9371a70b37bf64ed384402de39884fc0b447d48c

  • SHA256

    fc3a88295fb3cbbbe8d2e67851ac49e0da3096e36687520bd79fca58381b1df6

  • SHA512

    67db69454b461c016d733e2040a7e9f1fe008f8a9f47fd7ac8c79961301f26308d1d987a8218078482ca64ad1f1032f55e36a635e4ec9169bc99a62a78b04303

  • SSDEEP

    6144:lcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37cZdA:lcW7KEZlPzCy37c

Score
10/10
darkcomettest vitvimevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

TEST VITVIM

C2

donm.zapto.org:4026

Mutex

DC_MUTEX-M2GTPUP

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    dytuNwlYgVU6

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      po.com

    • Size

      349KB

    • MD5

      7322122846be9637275020846c5fb0d2

    • SHA1

      9371a70b37bf64ed384402de39884fc0b447d48c

    • SHA256

      fc3a88295fb3cbbbe8d2e67851ac49e0da3096e36687520bd79fca58381b1df6

    • SHA512

      67db69454b461c016d733e2040a7e9f1fe008f8a9f47fd7ac8c79961301f26308d1d987a8218078482ca64ad1f1032f55e36a635e4ec9169bc99a62a78b04303

    • SSDEEP

      6144:lcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37cZdA:lcW7KEZlPzCy37c

    Score
    10/10
    darkcomettest vitvimevasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Windows security bypass

      evasiontrojan

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      out.upx

    • Size

      756KB

    • MD5

      3ab9f6a2b2cc92b4a3137c7c7c6c19db

    • SHA1

      ff0049cc29d6bd3420ba8d1296bb1ba5192bfa3f

    • SHA256

      28db08b0fc40293da4ece8dd7ca8c952fa54aa2008a11b7237fef2993b4fad0c

    • SHA512

      f4340caeabd0193e88b91f569cf97fb13c5bc6d49b269dde0f1435f8f0ec3673ecb9442db96eab53cef06133c213313af315fcf3ecae0c714408a8a4aaeba06e

    • SSDEEP

      12288:49HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:sZ1xuVVjfFoynPaVBUR8f+kN10Ed

    Score
    3/10
    behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

4
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks