General

  • Target

    5699d69b06db357e1967124c4faca11202b35239cf94f7d0f67a49ec1d5f9b50

  • Size

    1.8MB

  • Sample

    220725-ctwczaagf6

  • MD5

    16222dcd3f5d1268f27ca7898b5183cb

  • SHA1

    90d00fdf793d1a7d040044c1200be22a2bded7af

  • SHA256

    5699d69b06db357e1967124c4faca11202b35239cf94f7d0f67a49ec1d5f9b50

  • SHA512

    ce65aca76cc094f1d0fa70b929e7f670c140d322f2c31f1326b6184b3eb6186dfa95ab5e66485a9cbc144fe8ba71e0617ab9e4e6643c453f8c36de7ced076fbf

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

thbest014.no-ip.biz:2525

Mutex

DC_MUTEX-WPLKKB0

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Uswj1FHkDDSZ

  • install

    true

  • offline_keylogger

    true

  • password

    147147

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      5699d69b06db357e1967124c4faca11202b35239cf94f7d0f67a49ec1d5f9b50

    • Size

      1.8MB

    • MD5

      16222dcd3f5d1268f27ca7898b5183cb

    • SHA1

      90d00fdf793d1a7d040044c1200be22a2bded7af

    • SHA256

      5699d69b06db357e1967124c4faca11202b35239cf94f7d0f67a49ec1d5f9b50

    • SHA512

      ce65aca76cc094f1d0fa70b929e7f670c140d322f2c31f1326b6184b3eb6186dfa95ab5e66485a9cbc144fe8ba71e0617ab9e4e6643c453f8c36de7ced076fbf

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks