General

  • Target

    5f8746c22ef36acbab6318006dd80d658b6a5c7b7caca041dd6ea9869d8e7b01

  • Size

    252KB

  • Sample

    220731-nezmmaefhp

  • MD5

    212e9f90a1b76a6c8d2ec81dd884e03b

  • SHA1

    e1d77698f3776e48f32780ef00f171a06b97715e

  • SHA256

    5f8746c22ef36acbab6318006dd80d658b6a5c7b7caca041dd6ea9869d8e7b01

  • SHA512

    2886906a394aaee2897e6c7d3597fe8123da59f33e9030de3a5d411c29b6add0c25f53859f7b85c7a986c1ed1a4d908405269098a9f8f7bd8e36dcf8b968b2df

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

cometka321.ddns.net:1604

Mutex

DC_MUTEX-JZ5G2G4

Attributes
  • InstallPath

    Windows\msdcsc.exe

  • gencode

    TjzE59HsqfK5

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    WindowsUpdate

Targets

    • Target

      5f8746c22ef36acbab6318006dd80d658b6a5c7b7caca041dd6ea9869d8e7b01

    • Size

      252KB

    • MD5

      212e9f90a1b76a6c8d2ec81dd884e03b

    • SHA1

      e1d77698f3776e48f32780ef00f171a06b97715e

    • SHA256

      5f8746c22ef36acbab6318006dd80d658b6a5c7b7caca041dd6ea9869d8e7b01

    • SHA512

      2886906a394aaee2897e6c7d3597fe8123da59f33e9030de3a5d411c29b6add0c25f53859f7b85c7a986c1ed1a4d908405269098a9f8f7bd8e36dcf8b968b2df

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Discovery

System Information Discovery

1
T1082

Tasks