General

  • Target

    lab_samples.7z

  • Size

    1.2MB

  • Sample

    241222-3d1wmasjcj

  • MD5

    1b7491958a16c4e0b40e214905da4e48

  • SHA1

    6e5e2fd20d08df8157d5daf6a963252ec8dbf42f

  • SHA256

    69366a4a73f7d9fd02ebbfdc35e504b8ec6203571d3f4b99f94a7a25e994d53d

  • SHA512

    dc850e266c72b6f0cecc367ced1636da99505e84faa708ff9ad31bacb6140a0384e0830976288119e1fc939738f2bb69cbb732982bb0d102f5bd6d29194a4f8b

  • SSDEEP

    24576:MH3Vta5A/hn3fkt/qcZKqEDkWQAF8frgEcP1+ItPv3/iuD:MXVtaE8t/q6v4kxc8fg/X3Ko

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

test213.no-ip.info:1604

Mutex

DC_MUTEX-KHNEW06

Attributes
  • InstallPath

    MSDCSC\runddl32.exe

  • gencode

    F6FE8i2BxCpu

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      lab_samples/1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b.exe

    • Size

      766KB

    • MD5

      405dba47e2b03f53db2101444e6a925c

    • SHA1

      ed769ff77f46730a9b58a111c52f9e498ec00838

    • SHA256

      1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b

    • SHA512

      3628944242f0b9d80204dfddcea4189ee7f703ba4498c6a818c83d570d97477ec1273270fef65e993cb0f6bed2d0c915cd3d68a5b35375e257a3879f4859c869

    • SSDEEP

      12288:Qq9hmQkwvH0pmjqM31df4NIAOCIWL92Tnhz0ehT2LPXvLtJ:TpkwMpm+i1dfcjIw921z0GT2Dvb

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      lab_samples/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe

    • Size

      87KB

    • MD5

      a579d53a1d29684de6d2c0cbabd525c5

    • SHA1

      17661a04b4b150a6f70afdabe3fd9839cc56bee8

    • SHA256

      6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82

    • SHA512

      a98456792d7f7c83d0fe6be3ce6c48a4630a073b456848e0c8f614efe292a24fcf8d879ead5f2b418e5e29f46ae9356691383ba57e6066c5cacc0d47e675f817

    • SSDEEP

      1536:PwjBg7Rj2r+65ofVkOu2avMtRsCtQqES1IVSJjXTmgacggNp:YjBY12G7uJvMnsGQhSYEmgacx

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Target

      lab_samples/6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe

    • Size

      658KB

    • MD5

      f6351da84168d40fae8da0c156fbab0f

    • SHA1

      1a2283c85bc5c655f5f2f77f27ec3a9412e8db7e

    • SHA256

      6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363

    • SHA512

      9948e83f004bb6d0edf14626660365e469dec444128e820f82066e73177f5de109d048fe226a9cbe95cfc6a99a9d4c501ab3f3900aa2e3677434f03d52694607

    • SSDEEP

      12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hn:qZ1xuVVjfFoynPaVBUR8f+kN10EBV

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      lab_samples/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

    • Size

      312KB

    • MD5

      3c1228d714eeda8f94ebbcdb1d75a284

    • SHA1

      1728dfe3e2378b6c88e859e6af79c32b612aefc6

    • SHA256

      a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215

    • SHA512

      b3b6e81b9588fbbf42a96e4ce71e7428b52dd9b59a01ac934e63f1bce309609f507ae6f827c776a3eedc0afe45521466c4ddb76b851476fc774c8e3edcf713e4

    • SSDEEP

      6144:eaXnROjLTs0Yb+AjEk+9x94SsWLkBPR3T7IrRAFoFc3WUk:1hOjXjY9tKxu3WwPRj0eoFc3WR

    Score
    3/10
    • Target

      lab_samples/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

    • Size

      659KB

    • MD5

      b3dc48d13f7d541fa583bf964c0603bf

    • SHA1

      1dbaa68adc0a592508f7ad715bfcdf79c17990d6

    • SHA256

      b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

    • SHA512

      193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

    • SSDEEP

      12288:JR2N+L3K6boxK6dSmiTwntcm3Kbjbgv8YXoNCMF6+yWiL4Wlsfppj4W:P8+L3UM6SIcsHj4N5F6+yW/W4XP

    Score
    7/10
    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      lab_samples/e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc.exe

    • Size

      172KB

    • MD5

      6e5654da58c03df6808466f0197207ed

    • SHA1

      594f33ad9d7f85625a88c24903243ba9788fba86

    • SHA256

      e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc

    • SHA512

      6542a42528f11085376ba893615cd7b68b37e1c78427c678db658e6174ca8d0ac893b071aa55e8d3924a6a2235657322eadf025f10e26c4a0c9858e3c12eb264

    • SSDEEP

      3072:qZkKstjomW1XBJqhhPQa77l79KQXF6yvf4FkbmB7VU2fMa+:zvUmgqkm9KQXF6yvwCbu7gT

    Score
    6/10
    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks