General

  • Target

    af628329a2c44dec542bf9075bd4bc3bbe2b41dae5997f88dbe8240c68c3237b

  • Size

    445KB

  • Sample

    220731-2x47qadahk

  • MD5

    5d99801829ebd16dce02fee3dd30cc88

  • SHA1

    17b5c98335473968d36401bb30739c0550e2f98b

  • SHA256

    af628329a2c44dec542bf9075bd4bc3bbe2b41dae5997f88dbe8240c68c3237b

  • SHA512

    6e796bb192748698ed1bb5a3ea85ace86655e4ad9f386069f4c5ca56aebae54646346e6cd2d0923b1b5c09fd28099bd657b01ddf8ae0b64e8b9158a09e2625d9

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Extracted

Family

darkcomet

Botnet

1000

C2

codemousa.no-ip.info:1604

Mutex

DC_MUTEX-MYDDMY8

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    R1ZJggCdq5SM

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      af628329a2c44dec542bf9075bd4bc3bbe2b41dae5997f88dbe8240c68c3237b

    • Size

      445KB

    • MD5

      5d99801829ebd16dce02fee3dd30cc88

    • SHA1

      17b5c98335473968d36401bb30739c0550e2f98b

    • SHA256

      af628329a2c44dec542bf9075bd4bc3bbe2b41dae5997f88dbe8240c68c3237b

    • SHA512

      6e796bb192748698ed1bb5a3ea85ace86655e4ad9f386069f4c5ca56aebae54646346e6cd2d0923b1b5c09fd28099bd657b01ddf8ae0b64e8b9158a09e2625d9

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks