General
-
Target
4dffb06a8cca8786e380f010f82e7727aae168b9cf8bb15922af965115878dd1
-
Size
871KB
-
Sample
220720-xqmxmsgcgm
-
MD5
8a90747b88537f92f59090e5ee75c487
-
SHA1
0f3a2978f861e69c00f97599113eeede93940248
-
SHA256
4dffb06a8cca8786e380f010f82e7727aae168b9cf8bb15922af965115878dd1
-
SHA512
da1668c3c62f18412f3c460f17d6aa3b51a3602d360f1b9fbbace661002453729a80729065de253566a7cb8196ef9bae6419c7eb6430782b08ad39c63839005b
Malware Config
Extracted
darkcomet
O_O
sker.no-ip.biz:1604
DC_MUTEX-0AZXCTR
-
InstallPath
MSDCSC\Wiin32.exe
-
gencode
cNf5nFUW9lLU
-
install
true
-
offline_keylogger
true
-
password
DEFACING1
-
persistence
true
-
reg_key
WMicroUpdate
Targets
-
-
Target
4dffb06a8cca8786e380f010f82e7727aae168b9cf8bb15922af965115878dd1
-
Size
871KB
-
MD5
8a90747b88537f92f59090e5ee75c487
-
SHA1
0f3a2978f861e69c00f97599113eeede93940248
-
SHA256
4dffb06a8cca8786e380f010f82e7727aae168b9cf8bb15922af965115878dd1
-
SHA512
da1668c3c62f18412f3c460f17d6aa3b51a3602d360f1b9fbbace661002453729a80729065de253566a7cb8196ef9bae6419c7eb6430782b08ad39c63839005b
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-