Overview

overview

10

Static

static

10

lom.7z

windows7-x64

3

lom.exe

windows7-x64

10

out.exe

windows7-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lom.7z

  • Size

    249KB

  • Sample

    240523-rm4hbseb82

  • MD5

    f16100031bd9943bd59c3219ef556ff5

  • SHA1

    37660dc3d184270ec91a642fbf0ca46aa495d6e9

  • SHA256

    7b8c3e7f330e0a2216f9a484aa1f56b68ed1325deb4f6ce6fe28cce0a3e53331

  • SHA512

    d297b8f852ad7fb07258aee1de0d79e103ad2efee7d48a48e5306719ad0700e82103eb3750f15ba00284d02e5a00f60a0edf9d3e8c23d80bccc2d3b65d66f0a1

  • SSDEEP

    6144:FKOgFdfD32D6IFTlcO2g4B36RfPHY8N+AhL75X0u:Yn5L2ZXcJ3ds48NVLL

Score
10/10
darkcometguest16evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-C09QWLA

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    AfDHveDwjuqL

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      lom.7z

    • Size

      249KB

    • MD5

      f16100031bd9943bd59c3219ef556ff5

    • SHA1

      37660dc3d184270ec91a642fbf0ca46aa495d6e9

    • SHA256

      7b8c3e7f330e0a2216f9a484aa1f56b68ed1325deb4f6ce6fe28cce0a3e53331

    • SHA512

      d297b8f852ad7fb07258aee1de0d79e103ad2efee7d48a48e5306719ad0700e82103eb3750f15ba00284d02e5a00f60a0edf9d3e8c23d80bccc2d3b65d66f0a1

    • SSDEEP

      6144:FKOgFdfD32D6IFTlcO2g4B36RfPHY8N+AhL75X0u:Yn5L2ZXcJ3ds48NVLL

    Score
    3/10
    behavioral1

    • Target

      lom.bat

    • Size

      251KB

    • MD5

      94ec47db97b8cce768152b5c505a0cd7

    • SHA1

      f2b8e8e684b07af278edbeb71489fe7fd5985436

    • SHA256

      760cbe63f0ac000aa008ad67f0ed34bfba214d8df9dec5e8a036c8d496b5404d

    • SHA512

      6dce5c04d362242539e7846d789038eca682c4dfd184ac63b6ef9977a4222168d70b48a036f6b8daa943a7ec42874d24a7f24dc6c6e5c9f6bc53b944597343ff

    • SSDEEP

      6144:gcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:gcW7KEZlPzCy37

    Score
    10/10
    darkcometguest16evasionpersistencerattrojanupx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral2

    • Target

      out.upx

    • Size

      658KB

    • MD5

      8c988ac398228e41579fa70791aeb633

    • SHA1

      ce3afa488e643414efd07d9fef87c7249b111754

    • SHA256

      1c4a040a683245558eaeb49059145f14b6e560ef84156356da1fe3203be9bd91

    • SHA512

      e8bfffea16f79fd6a896520bbaedb7ee62a274a3dd5169ea351da685d4f627e4c0a308d5c70d198c0d2e7a31ed5e5a05c67fab86894ef6ea08d9bda2da99da6b

    • SSDEEP

      12288:r9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:lZ1xuVVjfFoynPaVBUR8f+kN10Ed

    Score
    3/10
    behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks