General

  • Target

    8104866323.zip

  • Size

    350KB

  • Sample

    221005-lfazjseahm

  • MD5

    af3fc5723787b6ae967a933afd6003c9

  • SHA1

    486989fcb543cdaeaa937a8360c40bb1d45c3cc5

  • SHA256

    c27390d5060a6ed747ecb8cbde6273f6aaac188d6edd9bd0a6294717424be2ff

  • SHA512

    8f62b101f359754ade1bb5b7138457a8359528687dcfa0af1440a8b0d53a2c95193469d165b257e302fd49f3ef6ffeb84fb80ccd3e42f631d7d2d74956b48f5f

  • SSDEEP

    6144:NkjfZzhFalCqat6FMbBqQpNOH6OhEnAr8i34s6f85jzahfDtoI3FIeTsUrMvHFBE:NqHalJ8XpCdhtGkFz2fVSYsSM/FBE

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

5.tcp.eu.ngrok.io:11769

Mutex

DCMIN_MUTEX-DZFT8J7

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    Xi8GZDsVw7Em

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      003a042a75df5211952b5f4f9f9047a42c6ebb7ff42eaa1ecff2e46786dd45fb

    • Size

      658KB

    • MD5

      cabe1724c1a28ca8f3a7c3b8a7dcefc9

    • SHA1

      ea05843bb47d8fbb44041a8d9118b91e2509f7fb

    • SHA256

      003a042a75df5211952b5f4f9f9047a42c6ebb7ff42eaa1ecff2e46786dd45fb

    • SHA512

      65b804cf5213c59ad2ab94873505b2ded673aaa44fde8eb3017a67ca89dee81ff44a6ccb4301e6fde319ca612cdd499346c1ab1d1e36a32e6778e5e88835705c

    • SSDEEP

      12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hb:+Z1xuVVjfFoynPaVBUR8f+kN10EB1

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks