General
-
Target
c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d
-
Size
2.5MB
-
Sample
210921-kdkwasghb4
-
MD5
f257a4e79645b6727ac8cd48c80cb3ce
-
SHA1
e4e775ea5cbca89c0f1c362066fcd0042351fdce
-
SHA256
c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d
-
SHA512
c6e31654f6be3348401ab6b56ce16430fb16d462d0b186508cf5fd69842ff1132240368eec27d00271a6cabc8500619db428d23f5da474c925345a63416c800b
Static task
static1
Behavioral task
behavioral1
Sample
c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d.exe
Resource
win10-en-20210920
Malware Config
Extracted
darkcomet
Guest16_min
127.0.0.1:1604
DCMIN_MUTEX-FLMDWNQ
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
G9QPn0wrb19b
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Targets
-
-
Target
c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d
-
Size
2.5MB
-
MD5
f257a4e79645b6727ac8cd48c80cb3ce
-
SHA1
e4e775ea5cbca89c0f1c362066fcd0042351fdce
-
SHA256
c3c5bcc0cd14d6dbc073e4565edf660d9c377a83dbae49132e9e4c3b526da02d
-
SHA512
c6e31654f6be3348401ab6b56ce16430fb16d462d0b186508cf5fd69842ff1132240368eec27d00271a6cabc8500619db428d23f5da474c925345a63416c800b
-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-