General
-
Target
c564e2327daeecfdcc70feea844c3cfb.exe
-
Size
220KB
-
Sample
210317-f6jgw5scgj
-
MD5
c564e2327daeecfdcc70feea844c3cfb
-
SHA1
09693cfa2ac81ede9208f86f32eb3b2d38db7f3f
-
SHA256
2f3b39e32b302b059b4bf652a4094d8631ce6f7ec8a95a2b1db2d7d1fe29fcde
-
SHA512
ed0094edf94ee832fe1dcb9525281a96274fa64c3a04f06f9d7225754bed38e092357105695725d2c79bdf5b2f02bcbbd64af885283e9ddb29ea5543820bbfd1
Malware Config
Extracted
darkcomet
Guest16
96.126.101.20:8080
DC_MUTEX-AFJSENX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Y9abfdNTGGPG
-
install
true
-
offline_keylogger
true
-
password
4GcacRDP
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
c564e2327daeecfdcc70feea844c3cfb.exe
-
Size
220KB
-
MD5
c564e2327daeecfdcc70feea844c3cfb
-
SHA1
09693cfa2ac81ede9208f86f32eb3b2d38db7f3f
-
SHA256
2f3b39e32b302b059b4bf652a4094d8631ce6f7ec8a95a2b1db2d7d1fe29fcde
-
SHA512
ed0094edf94ee832fe1dcb9525281a96274fa64c3a04f06f9d7225754bed38e092357105695725d2c79bdf5b2f02bcbbd64af885283e9ddb29ea5543820bbfd1
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-