darkcomet

General

Target

357b5f06e0a084f8c37e6a38afa29c76.exe
Size

42.2MB
Sample

250308-b23atazrv2
MD5

357b5f06e0a084f8c37e6a38afa29c76
SHA1

e7de8b81872b571e9e0fe6dcc48c94dfe8d50318
SHA256

72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528
SHA512

ab539349cb46cdf4c2ce48569a123abc9634adebe68e0ccd19c89f008692651deb727892c1476796d0229965ed25d96b73735ce9ab86fad2bf67abd65ae9cd36
SSDEEP

786432:M129ofpkXbsydPnpeWjrqBqe4k51vJ8EhsI14StdNoIvTe3HzuREJgIkH5:Y29AwsydPnpXqBq4pmEhh4Sj9Te3TGEk

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://www.orway.bplaced.net/pony/gate.php

http://www.socialnetwork-toolbase.de/ucs/pny/gate.php

http://btcminer.ddns.net/pony/gate.php

Extracted

Family

darkcomet

Botnet

SPREADDDD

C2

852000.ddns.net:1604

btcminer.ddns.net:1604

p2k15.ddns.net:1604

Mutex

DC_MUTEX-H0WQWZT

Attributes

gencode
skMDhHCCHML8
install
false
offline_keylogger
true
persistence
false

rc4.plain

Targets

- Target
  
  357b5f06e0a084f8c37e6a38afa29c76.exe
- Size
  
  42.2MB
- MD5
  
  357b5f06e0a084f8c37e6a38afa29c76
- SHA1
  
  e7de8b81872b571e9e0fe6dcc48c94dfe8d50318
- SHA256
  
  72a4f802a0818076f00fdf7ca1710fad0f35244e472a74845f9cf6c2644cc528
- SHA512
  
  ab539349cb46cdf4c2ce48569a123abc9634adebe68e0ccd19c89f008692651deb727892c1476796d0229965ed25d96b73735ce9ab86fad2bf67abd65ae9cd36
- SSDEEP
  
  786432:M129ofpkXbsydPnpeWjrqBqe4k51vJ8EhsI14StdNoIvTe3HzuREJgIkH5:Y29AwsydPnpXqBq4pmEhh4Sj9Te3TGEk
Score

10^/10

darkcomet hawkeye pony spreadddd collection credential_access defense_evasion discovery keylogger persistence privilege_escalation rat spyware stealer trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Hawkeye family
  hawkeye
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2