Overview

overview

10

Static

static

10

lab_sample...15.exe

windows7-x64

7

lab_sample...15.exe

windows10-2004-x64

3

lab_sample...c7.exe

windows7-x64

3

lab_sample...c7.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lab_samples.7z

  • Size

    1.2MB

  • Sample

    250107-p6jk6atnhn

  • MD5

    1b7491958a16c4e0b40e214905da4e48

  • SHA1

    6e5e2fd20d08df8157d5daf6a963252ec8dbf42f

  • SHA256

    69366a4a73f7d9fd02ebbfdc35e504b8ec6203571d3f4b99f94a7a25e994d53d

  • SHA512

    dc850e266c72b6f0cecc367ced1636da99505e84faa708ff9ad31bacb6140a0384e0830976288119e1fc939738f2bb69cbb732982bb0d102f5bd6d29194a4f8b

  • SSDEEP

    24576:MH3Vta5A/hn3fkt/qcZKqEDkWQAF8frgEcP1+ItPv3/iuD:MXVtaE8t/q6v4kxc8fg/X3Ko

Score
10/10
darkcometguest16discoverypersistence

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

test213.no-ip.info:1604

Mutex

DC_MUTEX-KHNEW06

Attributes
  • InstallPath

    MSDCSC\runddl32.exe

  • gencode

    F6FE8i2BxCpu

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      lab_samples/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

    • Size

      312KB

    • MD5

      3c1228d714eeda8f94ebbcdb1d75a284

    • SHA1

      1728dfe3e2378b6c88e859e6af79c32b612aefc6

    • SHA256

      a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215

    • SHA512

      b3b6e81b9588fbbf42a96e4ce71e7428b52dd9b59a01ac934e63f1bce309609f507ae6f827c776a3eedc0afe45521466c4ddb76b851476fc774c8e3edcf713e4

    • SSDEEP

      6144:eaXnROjLTs0Yb+AjEk+9x94SsWLkBPR3T7IrRAFoFc3WUk:1hOjXjY9tKxu3WwPRj0eoFc3WR

    Score
    7/10
    discoverypersistence

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      lab_samples/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

    • Size

      659KB

    • MD5

      b3dc48d13f7d541fa583bf964c0603bf

    • SHA1

      1dbaa68adc0a592508f7ad715bfcdf79c17990d6

    • SHA256

      b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

    • SHA512

      193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

    • SSDEEP

      12288:JR2N+L3K6boxK6dSmiTwntcm3Kbjbgv8YXoNCMF6+yWiL4Wlsfppj4W:P8+L3UM6SIcsHj4N5F6+yW/W4XP

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks