General
-
Target
53eacf566350a00d0e86b5886a51668f
-
Size
252KB
-
Sample
201117-5xzjfp6wrx
-
MD5
80611b7935abbf4b7023ff75cca94df1
-
SHA1
ca2a351513c169d1a6b074c68db4f3eb060b7fc8
-
SHA256
31a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
-
SHA512
6a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
Malware Config
Extracted
darkcomet
lox
logan.bounceme.net:1604
DC_MUTEX-HKYPFJY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
UoVSUsqvZCVe
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
vshost
Targets
-
-
Target
53eacf566350a00d0e86b5886a51668f
-
Size
252KB
-
MD5
80611b7935abbf4b7023ff75cca94df1
-
SHA1
ca2a351513c169d1a6b074c68db4f3eb060b7fc8
-
SHA256
31a5f14f1a0ae9c67c11d3a73c3d5265c72ff5e00791e868aff01796293f613d
-
SHA512
6a6c14206bfc791d5daf7b349cc2f37099979f4691e9d8c4a7d98f28f9d23b44f92175eb8a106d3da9606b0d690c65137cad93011e9f2ac49ea61e577d60262f
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-