Overview
overview
10Static
static
10lab_sample...5b.exe
windows7-x64
7lab_sample...5b.exe
windows10-2004-x64
7lab_sample...82.exe
windows7-x64
8lab_sample...82.exe
windows10-2004-x64
7lab_sample...63.exe
windows7-x64
10lab_sample...63.exe
windows10-2004-x64
10lab_sample...15.exe
windows7-x64
1lab_sample...15.exe
windows10-2004-x64
1lab_sample...c7.exe
windows7-x64
3lab_sample...c7.exe
windows10-2004-x64
7lab_sample...fc.exe
windows7-x64
6lab_sample...fc.exe
windows10-2004-x64
6General
-
Target
lab_samples.zip
-
Size
1.6MB
-
Sample
240628-nzv5ya1bmm
-
MD5
707717e0811f03c3713616ab9354ae9f
-
SHA1
7b8ee97f65075ecd800381642bcbca4515a61cec
-
SHA256
596263884d5474c2d3bb01238718eb30ce2c8539c99f66fa26b92171c6786c26
-
SHA512
bff3f233ed55af5ee45b945856f96eab57e76e2481dd1e652bb755004b54dc1411c387c5b055056c92d51464c2abac9e6770221d520886df97610b8ff7d365b2
-
SSDEEP
49152:mXGgg7/0/FoAG6BKls7W9onqaRf/Hcfs826P5:GOioAt7W9onnRXHcfZ2q
Behavioral task
behavioral1
Sample
lab_samples/1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
lab_samples/1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
lab_samples/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
lab_samples/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
lab_samples/6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
lab_samples/6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
lab_samples/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
lab_samples/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
lab_samples/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
lab_samples/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
lab_samples/e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc.exe
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
lab_samples/e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
darkcomet
Guest16
test213.no-ip.info:1604
DC_MUTEX-KHNEW06
-
InstallPath
MSDCSC\runddl32.exe
-
gencode
F6FE8i2BxCpu
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
lab_samples/1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b.exe
-
Size
766KB
-
MD5
405dba47e2b03f53db2101444e6a925c
-
SHA1
ed769ff77f46730a9b58a111c52f9e498ec00838
-
SHA256
1e3966e77ad1cbf3e3ef76803fbf92300b2b88af39650a1208520e0cdc05645b
-
SHA512
3628944242f0b9d80204dfddcea4189ee7f703ba4498c6a818c83d570d97477ec1273270fef65e993cb0f6bed2d0c915cd3d68a5b35375e257a3879f4859c869
-
SSDEEP
12288:Qq9hmQkwvH0pmjqM31df4NIAOCIWL92Tnhz0ehT2LPXvLtJ:TpkwMpm+i1dfcjIw921z0GT2Dvb
Score7/10-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
lab_samples/6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82.exe
-
Size
87KB
-
MD5
a579d53a1d29684de6d2c0cbabd525c5
-
SHA1
17661a04b4b150a6f70afdabe3fd9839cc56bee8
-
SHA256
6562e2ac60afa314cd463f771fcfb8be70f947f6e2b314b0c48187eebb33dd82
-
SHA512
a98456792d7f7c83d0fe6be3ce6c48a4630a073b456848e0c8f614efe292a24fcf8d879ead5f2b418e5e29f46ae9356691383ba57e6066c5cacc0d47e675f817
-
SSDEEP
1536:PwjBg7Rj2r+65ofVkOu2avMtRsCtQqES1IVSJjXTmgacggNp:YjBY12G7uJvMnsGQhSYEmgacx
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
-
-
Target
lab_samples/6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe
-
Size
658KB
-
MD5
f6351da84168d40fae8da0c156fbab0f
-
SHA1
1a2283c85bc5c655f5f2f77f27ec3a9412e8db7e
-
SHA256
6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363
-
SHA512
9948e83f004bb6d0edf14626660365e469dec444128e820f82066e73177f5de109d048fe226a9cbe95cfc6a99a9d4c501ab3f3900aa2e3677434f03d52694607
-
SSDEEP
12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hn:qZ1xuVVjfFoynPaVBUR8f+kN10EBV
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
lab_samples/a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215.exe
-
Size
312KB
-
MD5
3c1228d714eeda8f94ebbcdb1d75a284
-
SHA1
1728dfe3e2378b6c88e859e6af79c32b612aefc6
-
SHA256
a380617cf945ca35dbbc3d031bcc612f0dca96c1027a75003182ba5be2851215
-
SHA512
b3b6e81b9588fbbf42a96e4ce71e7428b52dd9b59a01ac934e63f1bce309609f507ae6f827c776a3eedc0afe45521466c4ddb76b851476fc774c8e3edcf713e4
-
SSDEEP
6144:eaXnROjLTs0Yb+AjEk+9x94SsWLkBPR3T7IrRAFoFc3WUk:1hOjXjY9tKxu3WwPRj0eoFc3WR
Score1/10 -
-
-
Target
lab_samples/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe
-
Size
659KB
-
MD5
b3dc48d13f7d541fa583bf964c0603bf
-
SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6
-
SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7
-
SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4
-
SSDEEP
12288:JR2N+L3K6boxK6dSmiTwntcm3Kbjbgv8YXoNCMF6+yWiL4Wlsfppj4W:P8+L3UM6SIcsHj4N5F6+yW/W4XP
Score7/10-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
lab_samples/e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc.exe
-
Size
172KB
-
MD5
6e5654da58c03df6808466f0197207ed
-
SHA1
594f33ad9d7f85625a88c24903243ba9788fba86
-
SHA256
e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc
-
SHA512
6542a42528f11085376ba893615cd7b68b37e1c78427c678db658e6174ca8d0ac893b071aa55e8d3924a6a2235657322eadf025f10e26c4a0c9858e3c12eb264
-
SSDEEP
3072:qZkKstjomW1XBJqhhPQa77l79KQXF6yvf4FkbmB7VU2fMa+:zvUmgqkm9KQXF6yvwCbu7gT
Score6/10-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Defense Evasion
Modify Registry
4Hide Artifacts
2Hidden Files and Directories
2