General
-
Target
Purchase_Order_781.zip
-
Size
1.9MB
-
Sample
210524-2aaq4jt4cs
-
MD5
244bd3926f2173d3afc03dc30911bd0f
-
SHA1
906ed2a55f4dcae21221e9b99e0b8ba321176d94
-
SHA256
e1239f00d096ca7c112ae7e0c4f6a2d622b5d59b4702c80fc62b25c83c733473
-
SHA512
35c1fa37f45a4d3873a9f288f84761d03bd65d98d01a6c3a6f816cc981f77373f8045c8508b8978b04aae93c6cf2b983fa1bc2b0b7a8cc53f74c8c5a664fddd6
Malware Config
Extracted
darkcomet
May 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-PPMNGQA
-
gencode
AUQYBsRj2TWk
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
Purchase Order 781.exe
-
Size
2.0MB
-
MD5
701fbddfd06ee81cbdd5ef856389aca8
-
SHA1
f69315ab7caf73bd0d7ced899fdf2e619d3c474e
-
SHA256
864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd
-
SHA512
cdcadf2dcf3ba2fb640a00e8f9751d3c6f08c34a70c0ca441795ba9e59de3c323549b0180d7b940395f1d2800cda06672e2cb040257f0101eb521a2b43e7b0eb
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-