General
-
Target
701fbddf_by_Libranalysis
-
Size
2.0MB
-
Sample
210524-esbypfjfae
-
MD5
701fbddfd06ee81cbdd5ef856389aca8
-
SHA1
f69315ab7caf73bd0d7ced899fdf2e619d3c474e
-
SHA256
864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd
-
SHA512
cdcadf2dcf3ba2fb640a00e8f9751d3c6f08c34a70c0ca441795ba9e59de3c323549b0180d7b940395f1d2800cda06672e2cb040257f0101eb521a2b43e7b0eb
Malware Config
Extracted
darkcomet
May 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-PPMNGQA
-
gencode
AUQYBsRj2TWk
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
701fbddf_by_Libranalysis
-
Size
2.0MB
-
MD5
701fbddfd06ee81cbdd5ef856389aca8
-
SHA1
f69315ab7caf73bd0d7ced899fdf2e619d3c474e
-
SHA256
864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd
-
SHA512
cdcadf2dcf3ba2fb640a00e8f9751d3c6f08c34a70c0ca441795ba9e59de3c323549b0180d7b940395f1d2800cda06672e2cb040257f0101eb521a2b43e7b0eb
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-