General
-
Target
thing.zip
-
Size
9.2MB
-
Sample
250125-nnbxxsslgr
-
MD5
360bd125ae5e6cb6c934b50eeb4191a5
-
SHA1
bc960e65d6499e41899fafd877a5e7bb9e326783
-
SHA256
5a478ba296c294b8633fc59b79f20157f5b07a6599bb43f33f34578347bcc6c8
-
SHA512
ee5db52182acee40f9d92a61fcad77e09b26cdf72905a071f383666d90cd33904d14570e2628feea4a483611a041593df074f53e64c5d157e2ac2c40d48ce62c
-
SSDEEP
196608:P5DaOjoCKmlxe54J+hqlBU1Josh40EtboGZh3AcqkOkexP5qcp06Gyzt:RDL1Kl54J+hyU12s1Etbd33ROBHqd6Gi
Malware Config
Extracted
darkcomet
Sazan
icy-pond-00312.pktriot.net:22742
DC_MUTEX-C1LUE6A
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
z3e1aKbR3uF8
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
darkcomet
Guest16
82.222.125.34:1604
192.168.1.107:1111
DC_MUTEX-8ZU2Z4Y
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
dfsfNq1StomG
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
system
Targets
-
-
Target
thing.zip
-
Size
9.2MB
-
MD5
360bd125ae5e6cb6c934b50eeb4191a5
-
SHA1
bc960e65d6499e41899fafd877a5e7bb9e326783
-
SHA256
5a478ba296c294b8633fc59b79f20157f5b07a6599bb43f33f34578347bcc6c8
-
SHA512
ee5db52182acee40f9d92a61fcad77e09b26cdf72905a071f383666d90cd33904d14570e2628feea4a483611a041593df074f53e64c5d157e2ac2c40d48ce62c
-
SSDEEP
196608:P5DaOjoCKmlxe54J+hqlBU1Josh40EtboGZh3AcqkOkexP5qcp06Gyzt:RDL1Kl54J+hyU12s1Etbd33ROBHqd6Gi
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Detect Neshta payload
-
Modifies WinLogon for persistence
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Downloads MZ/PE file
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1