General

  • Target

    6e309f91bda425f0ed2cea66c1f3fd954f68db4c2d948df51b3516ab3f83146d

  • Size

    1.2MB

  • Sample

    221003-rqggzaahgm

  • MD5

    6db68fd708c703cd425fe8b3f6d07c60

  • SHA1

    238dc0b0b8746bb7d9027963dfc45d17d4108b08

  • SHA256

    6e309f91bda425f0ed2cea66c1f3fd954f68db4c2d948df51b3516ab3f83146d

  • SHA512

    a2f3012b83990d967a682c1acd6c92123b121f3b2a9faaf9fa44ca097dcf8dd394aa1b704237dd1e763e27005200a75c42dcfaa86bdbc8f1974e4f1bad74ea3e

  • SSDEEP

    24576:5vOTggIRfmQX3zRYC6FVZPv+FWe4YsVEz:tjYlDZ3+UTVEz

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

bzhacker.no-ip.biz:1604

bzhacker.no-ip.biz:110

bzhacker.no-ip.biz:84

Mutex

DC_MUTEX-92K99GS

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    kLepfPEBxSqW

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6e309f91bda425f0ed2cea66c1f3fd954f68db4c2d948df51b3516ab3f83146d

    • Size

      1.2MB

    • MD5

      6db68fd708c703cd425fe8b3f6d07c60

    • SHA1

      238dc0b0b8746bb7d9027963dfc45d17d4108b08

    • SHA256

      6e309f91bda425f0ed2cea66c1f3fd954f68db4c2d948df51b3516ab3f83146d

    • SHA512

      a2f3012b83990d967a682c1acd6c92123b121f3b2a9faaf9fa44ca097dcf8dd394aa1b704237dd1e763e27005200a75c42dcfaa86bdbc8f1974e4f1bad74ea3e

    • SSDEEP

      24576:5vOTggIRfmQX3zRYC6FVZPv+FWe4YsVEz:tjYlDZ3+UTVEz

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks