General

  • Target

    fdee650f22746686231a8142ad92929b9bcfa416c1aae9d04eca58bbe06ed5d9

  • Size

    1.3MB

  • Sample

    221003-njm5dsdgdm

  • MD5

    612cfad8f0d3302e111d8f37889f4545

  • SHA1

    4922d1c323be689169817b290c0067a6d30dab7d

  • SHA256

    fdee650f22746686231a8142ad92929b9bcfa416c1aae9d04eca58bbe06ed5d9

  • SHA512

    df2eb94a9c84f737fd643609fb304b284635807e99e8f74f2fc584ea841e30eff63c19c1fe9a41b6b851e2f162bbdf97cb2c53ff36c9e5e1cd493cb3b798bafb

  • SSDEEP

    24576:iRmJkcoQricOIQxiZY1iaoH7vOngV2TRH2rLp6/ANE+fAGBe/CvZo8:3JZoQrbTFZY1iaoH7GgV2NHLyAGw/Cvb

Malware Config

Extracted

Family

darkcomet

Botnet

Tibia

C2

nyffernipt.no-ip.org:93

Mutex

DC_MUTEX-5LTW17T

Attributes
  • gencode

    VArimZEWLPrV

  • install

    false

  • offline_keylogger

    true

  • password

    thiago3000

  • persistence

    false

Targets

    • Target

      fdee650f22746686231a8142ad92929b9bcfa416c1aae9d04eca58bbe06ed5d9

    • Size

      1.3MB

    • MD5

      612cfad8f0d3302e111d8f37889f4545

    • SHA1

      4922d1c323be689169817b290c0067a6d30dab7d

    • SHA256

      fdee650f22746686231a8142ad92929b9bcfa416c1aae9d04eca58bbe06ed5d9

    • SHA512

      df2eb94a9c84f737fd643609fb304b284635807e99e8f74f2fc584ea841e30eff63c19c1fe9a41b6b851e2f162bbdf97cb2c53ff36c9e5e1cd493cb3b798bafb

    • SSDEEP

      24576:iRmJkcoQricOIQxiZY1iaoH7vOngV2TRH2rLp6/ANE+fAGBe/CvZo8:3JZoQrbTFZY1iaoH7GgV2NHLyAGw/Cvb

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • UAC bypass

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks