General
-
Target
30a771d62c75394d9afe38e6b3650813b669435550e33b8e3a3e070b8c0b3279
-
Size
3.0MB
-
Sample
220919-dzeg3sacbn
-
MD5
7a95c7de3b8a09c6d289ad676c1664bf
-
SHA1
f37b875bf0d88e9c182a834e67bf8f101aba19ac
-
SHA256
30a771d62c75394d9afe38e6b3650813b669435550e33b8e3a3e070b8c0b3279
-
SHA512
ee93787eb9760c08cc4f819b4434ac60e75c6f54695fa69ea1e53266bdaa73b0f43f1646e69aee401d6a10c49e936d68df25df87ef640dd7ca063ab40372c49a
-
SSDEEP
98304:Wx2VbvzOj347sFbI0fQr/6/PJqsJJjpob:C2Zr+6sTEAPosDjp
Malware Config
Extracted
darkcomet
Guest16
cucu.no-ip.org:1500
DC_MUTEX-23UB63C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
naPTMgVpHACh
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
30a771d62c75394d9afe38e6b3650813b669435550e33b8e3a3e070b8c0b3279
-
Size
3.0MB
-
MD5
7a95c7de3b8a09c6d289ad676c1664bf
-
SHA1
f37b875bf0d88e9c182a834e67bf8f101aba19ac
-
SHA256
30a771d62c75394d9afe38e6b3650813b669435550e33b8e3a3e070b8c0b3279
-
SHA512
ee93787eb9760c08cc4f819b4434ac60e75c6f54695fa69ea1e53266bdaa73b0f43f1646e69aee401d6a10c49e936d68df25df87ef640dd7ca063ab40372c49a
-
SSDEEP
98304:Wx2VbvzOj347sFbI0fQr/6/PJqsJJjpob:C2Zr+6sTEAPosDjp
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-