General

  • Target

    b5154bba_hs6p8854My

  • Size

    658KB

  • Sample

    210908-fn5k8sghcl

  • MD5

    b5154bba3a9d3648b40164f2ec89e059

  • SHA1

    e37b5718f3da44132e2170dc85e026b9a998f5d9

  • SHA256

    d8b6d9bf469cf33b4effbfc8bcac272a66a01213184580a668a2517df93834a2

  • SHA512

    c21c3e0ed025e97b6dbc0bc9b3f9b8e87306df8177e1638892ecbcb2bf199e828bc186e0fb872dd82c7cd4d3bedb5ff2910584057d34709535a498ca612f5553

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

0.tcp.ngrok.io:14691

Mutex

DC_MUTEX-DMS3MBM

Attributes
  • gencode

    nSh0hsPzKYNY

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      b5154bba_hs6p8854My

    • Size

      658KB

    • MD5

      b5154bba3a9d3648b40164f2ec89e059

    • SHA1

      e37b5718f3da44132e2170dc85e026b9a998f5d9

    • SHA256

      d8b6d9bf469cf33b4effbfc8bcac272a66a01213184580a668a2517df93834a2

    • SHA512

      c21c3e0ed025e97b6dbc0bc9b3f9b8e87306df8177e1638892ecbcb2bf199e828bc186e0fb872dd82c7cd4d3bedb5ff2910584057d34709535a498ca612f5553

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies firewall policy service

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

2
T1158

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

2
T1158

Discovery

System Information Discovery

1
T1082

Tasks