General
-
Target
e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9
-
Size
927KB
-
Sample
221004-dg1btsaac2
-
MD5
6d5416776bd0f3854a271722098d719e
-
SHA1
ff6876a938916d3010963136ef8b084f0d703b5d
-
SHA256
e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9
-
SHA512
3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb
-
SSDEEP
24576:NZPMSPOdEDGD8Xa6x4LqKMg1tXykjBUyNts4cPq:DOv8XFKLx1tisNFh
Malware Config
Extracted
darkcomet
Guest16
109.104.87.142:2039
DC_MUTEX-X2C2Y2U
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
FcUN6bdTNYgc
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
darkcomet
CryptService
bezerkmedia.no-ip.biz:1606
DCMIN_MUTEX-97A2GT7
-
gencode
0n1bb6xQeSjV
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9
-
Size
927KB
-
MD5
6d5416776bd0f3854a271722098d719e
-
SHA1
ff6876a938916d3010963136ef8b084f0d703b5d
-
SHA256
e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9
-
SHA512
3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb
-
SSDEEP
24576:NZPMSPOdEDGD8Xa6x4LqKMg1tXykjBUyNts4cPq:DOv8XFKLx1tisNFh
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-