General
-
Target
hobaa.bin
-
Size
658KB
-
Sample
220619-zpaa9seeg5
-
MD5
73cf29c4ce3770bcf52c21b94588ca24
-
SHA1
81180bc25cc7a11cc570085ff383e356232d27f0
-
SHA256
3033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
-
SHA512
f05600475b81e9434f9268ee5af33c760204af2e6ff0efd26dda20d123b004c33e75aef68182a5a43b0d34160ead09041b29e6ac9ad3b4b59485a29245f531b1
Malware Config
Extracted
darkcomet
Sazan
4.tcp.eu.ngrok.io:14008
DC_MUTEX-K3TSWRH
-
InstallPath
MSDCSC\SystemUI.exe
-
gencode
2Ua3NFMLv0El
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
SystemFile
Targets
-
-
Target
hobaa.bin
-
Size
658KB
-
MD5
73cf29c4ce3770bcf52c21b94588ca24
-
SHA1
81180bc25cc7a11cc570085ff383e356232d27f0
-
SHA256
3033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
-
SHA512
f05600475b81e9434f9268ee5af33c760204af2e6ff0efd26dda20d123b004c33e75aef68182a5a43b0d34160ead09041b29e6ac9ad3b4b59485a29245f531b1
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-