General

  • Target

    0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67

  • Size

    252KB

  • Sample

    221003-tmv73aebg8

  • MD5

    5cb41d5644b7fbcc80696ca93a7f8db0

  • SHA1

    50b84025fb13434eb6215dfd37ea4f0a2e605dcf

  • SHA256

    0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67

  • SHA512

    e067d8036c4695d11326d17c3e7592f04d4b48a03075883f19003455d0b4a461ac6d1db2c2cfe6cf5e26fedccda71e84022dccb247c7eca8b58cad0fce3988c2

  • SSDEEP

    6144:9cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:9cW7KEZlPzCy37

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

davidbre.noip.me:1604

Mutex

DC_MUTEX-C2MMFJV

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    8hBR0eRJKy3N

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67

    • Size

      252KB

    • MD5

      5cb41d5644b7fbcc80696ca93a7f8db0

    • SHA1

      50b84025fb13434eb6215dfd37ea4f0a2e605dcf

    • SHA256

      0f0b1650c9f50ada21f103a256f1ea916fafacec0b6f37eb58e1b93275f80f67

    • SHA512

      e067d8036c4695d11326d17c3e7592f04d4b48a03075883f19003455d0b4a461ac6d1db2c2cfe6cf5e26fedccda71e84022dccb247c7eca8b58cad0fce3988c2

    • SSDEEP

      6144:9cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:9cW7KEZlPzCy37

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks