Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867
-
Size
683KB
-
Sample
250319-jfbvqstwgv
-
MD5
9dd53b03345030bc7decf3adbe608ce7
-
SHA1
5999c980dfb72ed83cb4196a310cf2896650f997
-
SHA256
0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867
-
SHA512
a904e90ed7c076de06a2deaf929cbd0f63844c6a09664f068d1b2c41e34ab3cad365339de3e6868cc43de38d5246ac6749ee596883e9a720573043e4f7a36f5a
-
SSDEEP
12288:cQ2T1tTzrnmsm81wCfvXsKbDTo7E3TlQCGVUPShkQ2lE1ToXi7SnATyQYzTa3mY:crT1t3dd8KvTo7E3TPOUPSaA1Tt7hTyC
Malware Config
Extracted
darkcomet
Guest16
startpc.localto.net:5139
DC_MUTEX-YNHY3V1
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
bbBGhWmhMoJH
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867
-
Size
683KB
-
MD5
9dd53b03345030bc7decf3adbe608ce7
-
SHA1
5999c980dfb72ed83cb4196a310cf2896650f997
-
SHA256
0624a3641140b1e609f181854519fa328dd04132f29d30da4eccca73e777f867
-
SHA512
a904e90ed7c076de06a2deaf929cbd0f63844c6a09664f068d1b2c41e34ab3cad365339de3e6868cc43de38d5246ac6749ee596883e9a720573043e4f7a36f5a
-
SSDEEP
12288:cQ2T1tTzrnmsm81wCfvXsKbDTo7E3TlQCGVUPShkQ2lE1ToXi7SnATyQYzTa3mY:crT1t3dd8KvTo7E3TPOUPSaA1Tt7hTyC
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Windows security bypass
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Adds Run key to start application
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3