General

  • Target

    9320b8cf9eb43952636f26b9d30787dd6dd9bfd6e202006900bcfeb495d0f670

  • Size

    692KB

  • Sample

    220521-xyydcagaaq

  • MD5

    95dba9c1967098ee9ae4a184c91e8043

  • SHA1

    bf692ce0292a6e665ac2d12530c6343bb9175a04

  • SHA256

    9320b8cf9eb43952636f26b9d30787dd6dd9bfd6e202006900bcfeb495d0f670

  • SHA512

    5e60d6b6e884f681f659fe1f2ae9ade49316c7e5ae4bc444c34dae38196e1abfc0765798ff17ad0c45d35f0e74883488f04820128e7fbc8d26440bf24e1272b6

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

95.190.35.235:1604

Mutex

DC_MUTEX-3ZHZ8MG

Attributes
  • InstallPath

    MSDCSC\explorer.exe

  • gencode

    W0KYPkPyqZc8

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      9320b8cf9eb43952636f26b9d30787dd6dd9bfd6e202006900bcfeb495d0f670

    • Size

      692KB

    • MD5

      95dba9c1967098ee9ae4a184c91e8043

    • SHA1

      bf692ce0292a6e665ac2d12530c6343bb9175a04

    • SHA256

      9320b8cf9eb43952636f26b9d30787dd6dd9bfd6e202006900bcfeb495d0f670

    • SHA512

      5e60d6b6e884f681f659fe1f2ae9ade49316c7e5ae4bc444c34dae38196e1abfc0765798ff17ad0c45d35f0e74883488f04820128e7fbc8d26440bf24e1272b6

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks