General

  • Target

    f458a873443e550e7d2b6a8d69083cbd18c9832bf80b9f163dc43fed79492729

  • Size

    544KB

  • Sample

    221003-njbfladgcj

  • MD5

    43b14536f1dfa015102cc625b3c734a6

  • SHA1

    4a866c19a680b202c9b155265c8cd2f45d0f5950

  • SHA256

    f458a873443e550e7d2b6a8d69083cbd18c9832bf80b9f163dc43fed79492729

  • SHA512

    e780fb28b81376bc20766351a2b202ef9a0b336b3d256dca3501d8909aea72d3cef398a7befcba832a69caa5e8e00c61fadf9cccbb85721a2f40b2505df0db31

  • SSDEEP

    12288:2phltQCO4VmN3kbzzejeXPmrhZ5Ez9+LTlh7:umN3cae/mr89IBh7

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

wirehost.sytes.net:1624

wirehost2.zapto.org:1624

Mutex

DC_MUTEX-X4HZLMT

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Xx4Eo1aAF6Pl

  • install

    true

  • offline_keylogger

    true

  • password

    bastofos2

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      f458a873443e550e7d2b6a8d69083cbd18c9832bf80b9f163dc43fed79492729

    • Size

      544KB

    • MD5

      43b14536f1dfa015102cc625b3c734a6

    • SHA1

      4a866c19a680b202c9b155265c8cd2f45d0f5950

    • SHA256

      f458a873443e550e7d2b6a8d69083cbd18c9832bf80b9f163dc43fed79492729

    • SHA512

      e780fb28b81376bc20766351a2b202ef9a0b336b3d256dca3501d8909aea72d3cef398a7befcba832a69caa5e8e00c61fadf9cccbb85721a2f40b2505df0db31

    • SSDEEP

      12288:2phltQCO4VmN3kbzzejeXPmrhZ5Ez9+LTlh7:umN3cae/mr89IBh7

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks