General

  • Target

    e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

  • Size

    927KB

  • Sample

    221004-dg1btsaac2

  • MD5

    6d5416776bd0f3854a271722098d719e

  • SHA1

    ff6876a938916d3010963136ef8b084f0d703b5d

  • SHA256

    e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

  • SHA512

    3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

  • SSDEEP

    24576:NZPMSPOdEDGD8Xa6x4LqKMg1tXykjBUyNts4cPq:DOv8XFKLx1tisNFh

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

109.104.87.142:2039

Mutex

DC_MUTEX-X2C2Y2U

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    FcUN6bdTNYgc

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

CryptService

C2

bezerkmedia.no-ip.biz:1606

Mutex

DCMIN_MUTEX-97A2GT7

Attributes
  • gencode

    0n1bb6xQeSjV

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

    • Size

      927KB

    • MD5

      6d5416776bd0f3854a271722098d719e

    • SHA1

      ff6876a938916d3010963136ef8b084f0d703b5d

    • SHA256

      e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

    • SHA512

      3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

    • SSDEEP

      24576:NZPMSPOdEDGD8Xa6x4LqKMg1tXykjBUyNts4cPq:DOv8XFKLx1tisNFh

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks