Overview

overview

10

Static

static

10

lab_sample...5b.exe

windows7-x64

7

lab_sample...5b.exe

windows10-2004-x64

7

lab_sample...82.exe

windows7-x64

8

lab_sample...82.exe

windows10-2004-x64

7

lab_sample...63.exe

windows7-x64

10

lab_sample...63.exe

windows10-2004-x64

10

lab_sample...15.exe

windows7-x64

1

lab_sample...15.exe

windows10-2004-x64

1

lab_sample...c7.exe

windows7-x64

3

lab_sample...c7.exe

windows10-2004-x64

7

lab_sample...fc.exe

windows7-x64

6

lab_sample...fc.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lab_samples.zip

  • Size

    1.6MB

  • Sample

    240628-nzv5ya1bmm

  • MD5

    707717e0811f03c3713616ab9354ae9f

  • SHA1

    7b8ee97f65075ecd800381642bcbca4515a61cec

  • SHA256

    596263884d5474c2d3bb01238718eb30ce2c8539c99f66fa26b92171c6786c26

  • SHA512

    bff3f233ed55af5ee45b945856f96eab57e76e2481dd1e652bb755004b54dc1411c387c5b055056c92d51464c2abac9e6770221d520886df97610b8ff7d365b2

  • SSDEEP

    49152:mXGgg7/0/FoAG6BKls7W9onqaRf/Hcfs826P5:GOioAt7W9onnRXHcfZ2q

Score
10/10
darkcometguest16discoveryevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

test213.no-ip.info:1604

Mutex

DC_MUTEX-KHNEW06

Attributes
  • InstallPath

    MSDCSC\runddl32.exe

  • gencode

    F6FE8i2BxCpu

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      lab_samples/1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b.exe

    • Size

      766KB

    • MD5

      405dba47e2b03f53db2101444e6a925c

    • SHA1

      ed769ff77f46730a9b58a111c52f9e498ec00838

    • SHA256

      1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b

    • SHA512

      3628944242f0b9d80204dfddcea4189ee7f703ba4498c6a818c83d570d97477ec1273270fef65e993cb0f6bed2d0c915cd3d68a5b35375e257a3879f4859c869

    • SSDEEP

      12288:Qq9hmQkwvH0pmjqM31df4NIAOCIWL92Tnhz0ehT2LPXvLtJ:TpkwMpm+i1dfcjIw921z0GT2Dvb

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      lab_samples/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe

    • Size

      87KB

    • MD5

      a579d53a1d29684de6d2c0cbabd525c5

    • SHA1

      17661a04b4b150a6f70afdabe3fd9839cc56bee8

    • SHA256

      6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82

    • SHA512

      a98456792d7f7c83d0fe6be3ce6c48a4630a073b456848e0c8f614efe292a24fcf8d879ead5f2b418e5e29f46ae9356691383ba57e6066c5cacc0d47e675f817

    • SSDEEP

      1536:PwjBg7Rj2r+65ofVkOu2avMtRsCtQqES1IVSJjXTmgacggNp:YjBY12G7uJvMnsGQhSYEmgacx

    Score
    8/10
    persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      lab_samples/6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe

    • Size

      658KB

    • MD5

      f6351da84168d40fae8da0c156fbab0f

    • SHA1

      1a2283c85bc5c655f5f2f77f27ec3a9412e8db7e

    • SHA256

      6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363

    • SHA512

      9948e83f004bb6d0edf14626660365e469dec444128e820f82066e73177f5de109d048fe226a9cbe95cfc6a99a9d4c501ab3f3900aa2e3677434f03d52694607

    • SSDEEP

      12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hn:qZ1xuVVjfFoynPaVBUR8f+kN10EBV

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      lab_samples/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe

    • Size

      312KB

    • MD5

      3c1228d714eeda8f94ebbcdb1d75a284

    • SHA1

      1728dfe3e2378b6c88e859e6af79c32b612aefc6

    • SHA256

      a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215

    • SHA512

      b3b6e81b9588fbbf42a96e4ce71e7428b52dd9b59a01ac934e63f1bce309609f507ae6f827c776a3eedc0afe45521466c4ddb76b851476fc774c8e3edcf713e4

    • SSDEEP

      6144:eaXnROjLTs0Yb+AjEk+9x94SsWLkBPR3T7IrRAFoFc3WUk:1hOjXjY9tKxu3WwPRj0eoFc3WR

    Score
    1/10
    behavioral7behavioral8

    • Target

      lab_samples/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

    • Size

      659KB

    • MD5

      b3dc48d13f7d541fa583bf964c0603bf

    • SHA1

      1dbaa68adc0a592508f7ad715bfcdf79c17990d6

    • SHA256

      b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

    • SHA512

      193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

    • SSDEEP

      12288:JR2N+L3K6boxK6dSmiTwntcm3Kbjbgv8YXoNCMF6+yWiL4Wlsfppj4W:P8+L3UM6SIcsHj4N5F6+yW/W4XP

    Score
    7/10

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      lab_samples/e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc.exe

    • Size

      172KB

    • MD5

      6e5654da58c03df6808466f0197207ed

    • SHA1

      594f33ad9d7f85625a88c24903243ba9788fba86

    • SHA256

      e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc

    • SHA512

      6542a42528f11085376ba893615cd7b68b37e1c78427c678db658e6174ca8d0ac893b071aa55e8d3924a6a2235657322eadf025f10e26c4a0c9858e3c12eb264

    • SSDEEP

      3072:qZkKstjomW1XBJqhhPQa77l79KQXF6yvf4FkbmB7VU2fMa+:zvUmgqkm9KQXF6yvwCbu7gT

    Score
    6/10
    discovery

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

4
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

System Information Discovery

6
T1082

Query Registry

5
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks