Overview

overview

10

Static

static

3

FakeWebcam6.2.exe

windows7-x64

10

FakeWebcam6.2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FakeWebcam6.2.exe

  • Size

    632KB

  • MD5

    85ea1c7e59b63c1731d642e576b8d5bd

  • SHA1

    44ffbcbe5bed1be774c97f24a60a70186e525510

  • SHA256

    8d18c9599f3f743b6f3abb2d20887ab1f4178e53cd2948cd226d2f189dd65804

  • SHA512

    1ce0cfd5ee9eaa2b272eb240a06c01ae79e6a5650646c73dff2c7bc4227ca4fbad623afccd521dab8d97f4cdb5fd47ff671cfe6f386a46964491f20cf867d96b

  • SSDEEP

    12288:6Gfkwc4ybTNaaaqvE9mJknkSD9MfsTXbsO4uaFNHRLIEvXU195:NMwVW2kHxw

Score
10/10
darkcomethackeddiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Hacked

C2

kingkingofhacker.no-ip.biz:1604

Mutex

DC_MUTEX-XYZSRMS

Attributes
  • InstallPath

    FakeWebcam.exe

  • gencode

    DNUieDl1NhPQ

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FakeWebcam6.2.exe
    "C:\Users\Admin\AppData\Local\Temp\FakeWebcam6.2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\FakeWebcam6.2.exe
      C:\Users\Admin\AppData\Local\Temp\FakeWebcam6.2.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\Documents\FakeWebcam.exe
        "C:\Users\Admin\Documents\FakeWebcam.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:928
        • C:\Users\Admin\Documents\FakeWebcam.exe
          C:\Users\Admin\Documents\FakeWebcam.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\FakeWebcam.exe
    Filesize

    632KB

    MD5

    85ea1c7e59b63c1731d642e576b8d5bd

    SHA1

    44ffbcbe5bed1be774c97f24a60a70186e525510

    SHA256

    8d18c9599f3f743b6f3abb2d20887ab1f4178e53cd2948cd226d2f189dd65804

    SHA512

    1ce0cfd5ee9eaa2b272eb240a06c01ae79e6a5650646c73dff2c7bc4227ca4fbad623afccd521dab8d97f4cdb5fd47ff671cfe6f386a46964491f20cf867d96b

    Download Submit

  • memory/928-21-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/928-18-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1392-1-0x0000000002290000-0x0000000002294000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1392-0-0x00000000021E0000-0x00000000021E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-31-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-33-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-47-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-46-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-45-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-44-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-25-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-27-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-28-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-26-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-43-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-42-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-32-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-41-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-34-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-35-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-36-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-37-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-38-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-39-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2172-40-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4632-6-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4632-2-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4632-29-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4632-4-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4632-5-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4632-7-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4632-8-0x0000000000400000-0x00000000004E8000-memory.dmp

    Filesize

    928KB

    Download