General
-
Target
0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67
-
Size
252KB
-
Sample
221003-tmv73aebg8
-
MD5
5cb41d5644b7fbcc80696ca93a7f8db0
-
SHA1
50b84025fb13434eb6215dfd37ea4f0a2e605dcf
-
SHA256
0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67
-
SHA512
e067d8036c4695d11326d17c3e7592f04d4b48a03075883f19003455d0b4a461ac6d1db2c2cfe6cf5e26fedccda71e84022dccb247c7eca8b58cad0fce3988c2
-
SSDEEP
6144:9cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:9cW7KEZlPzCy37
Malware Config
Extracted
darkcomet
Guest16
davidbre.noip.me:1604
DC_MUTEX-C2MMFJV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
8hBR0eRJKy3N
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67
-
Size
252KB
-
MD5
5cb41d5644b7fbcc80696ca93a7f8db0
-
SHA1
50b84025fb13434eb6215dfd37ea4f0a2e605dcf
-
SHA256
0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67
-
SHA512
e067d8036c4695d11326d17c3e7592f04d4b48a03075883f19003455d0b4a461ac6d1db2c2cfe6cf5e26fedccda71e84022dccb247c7eca8b58cad0fce3988c2
-
SSDEEP
6144:9cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:9cW7KEZlPzCy37
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-