General
-
Target
Payment 761.exe
-
Size
3.0MB
-
Sample
210216-trby2w69hn
-
MD5
62a68863c4cc45f3044a82468175e2d8
-
SHA1
1872815154485c5f9af9cc93678bfa0da049d057
-
SHA256
0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f
-
SHA512
6328700abc7f907e4a56866698ff3249351ac07d0175a17ed6810a2a1b029aa7902b34b966518983830d7d2b193a5f950b634945d2588d18cafe26b1b5044508
Malware Config
Extracted
darkcomet
FEBruary 2021
chrisle79.ddns.net:3317
jacknop79.ddns.net:3317
smath79.ddns.net:3317
whatis79.ddns.net:3317
goodgt79.ddns.net:3317
bonding79.ddns.net:3317
DC_MUTEX-X4WFYA8
-
gencode
vYNzRAlAVaCD
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
Payment 761.exe
-
Size
3.0MB
-
MD5
62a68863c4cc45f3044a82468175e2d8
-
SHA1
1872815154485c5f9af9cc93678bfa0da049d057
-
SHA256
0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f
-
SHA512
6328700abc7f907e4a56866698ff3249351ac07d0175a17ed6810a2a1b029aa7902b34b966518983830d7d2b193a5f950b634945d2588d18cafe26b1b5044508
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-