General

  • Target

    aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee

  • Size

    690KB

  • Sample

    220731-ntntnsfden

  • MD5

    2194793f9dcc7cc77d208c1f2b1e7e2c

  • SHA1

    bbfe71946bcc3e94eb7032485da79a1186981e6b

  • SHA256

    aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee

  • SHA512

    41c2c41b2ab78c8c9df63d4ebe5eb7cc927422324b744a8734caf633a7fbfba6c5063fd8807d47417228aa81e04664901444e9cbcb224f80e646b3b598176e7a

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.4:1604

Mutex

DC_MUTEX-PZNKCGY

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    AQtHj77eZQcF

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee

    • Size

      690KB

    • MD5

      2194793f9dcc7cc77d208c1f2b1e7e2c

    • SHA1

      bbfe71946bcc3e94eb7032485da79a1186981e6b

    • SHA256

      aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee

    • SHA512

      41c2c41b2ab78c8c9df63d4ebe5eb7cc927422324b744a8734caf633a7fbfba6c5063fd8807d47417228aa81e04664901444e9cbcb224f80e646b3b598176e7a

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks