General
-
Target
1yyoRs4y38XZvNF9YQAk.exe
-
Size
658KB
-
Sample
210505-z1km7c36h2
-
MD5
db08908582b5fadec29d5ea3c91b954a
-
SHA1
fedaf416dd8019a55657d8321d70e2d09c98c595
-
SHA256
6f08293219654fea6c04ef20b911c4b3d28029ae32b9bcfaa7278df56a059ede
-
SHA512
05e99bb91df650d18da64d2133c7e289c0485d28e289aa77d1c0e0366473e33da3f0d955a29c93d88f4a47b40f766611cf3c3d07174c602cbb2bf6a76641e916
Malware Config
Extracted
darkcomet
Guest16
nanocore4459.ddns.net:5552
DC_MUTEX-WPZT55M
-
InstallPath
C:\Windows\System32\drivers\networkdrv.exe
-
gencode
CtFSuaWNSfPv
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Network Driver
Targets
-
-
Target
1yyoRs4y38XZvNF9YQAk.exe
-
Size
658KB
-
MD5
db08908582b5fadec29d5ea3c91b954a
-
SHA1
fedaf416dd8019a55657d8321d70e2d09c98c595
-
SHA256
6f08293219654fea6c04ef20b911c4b3d28029ae32b9bcfaa7278df56a059ede
-
SHA512
05e99bb91df650d18da64d2133c7e289c0485d28e289aa77d1c0e0366473e33da3f0d955a29c93d88f4a47b40f766611cf3c3d07174c602cbb2bf6a76641e916
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-