87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

General
Target

87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

Size

252KB

Sample

220521-xy1hpscgf2

Score
10 /10
MD5

32307c24db9052003547acd8c7814a09

SHA1

1804e608aef820e4b344e996dbad49276cc237b5

SHA256

87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

SHA512

7e3db616a5e1e25eb2b94a8a537c90b657f99fa92471c38108eb0e859476a6e5adecfe3ef46da9729cc3605a79c694f74a2a923b4f6e5f9bc5d5515186bca596

Malware Config

Extracted

Family darkcomet
Botnet Guest16
C2

kualomakalo.ddns.net:1604

Attributes
InstallPath
MSDCSC\msdcsc.exe
gencode
stDkxmBCbxzB
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate
Targets
Target

87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

MD5

32307c24db9052003547acd8c7814a09

Filesize

252KB

Score
10/10
SHA1

1804e608aef820e4b344e996dbad49276cc237b5

SHA256

87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

SHA512

7e3db616a5e1e25eb2b94a8a537c90b657f99fa92471c38108eb0e859476a6e5adecfe3ef46da9729cc3605a79c694f74a2a923b4f6e5f9bc5d5515186bca596

Tags

Signatures

  • Darkcomet

    Description

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    Tags

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLLModify Registry
  • Modifies firewall policy service

    Tags

    TTPs

    Modify RegistryModify Existing Service
  • Modifies security service

    Tags

    TTPs

    Modify RegistryModify Existing Service
  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Disables RegEdit via registry modification

    Tags

  • Disables Task Manager via registry modification

    Tags

  • Executes dropped EXE

  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Loads dropped DLL

  • Windows security modification

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation