General

  • Target

    DarkComet - v.5.3.1 FWB.exe

  • Size

    17.4MB

  • Sample

    221009-tfmmcahbg5

  • MD5

    c024f8b0b4261b9be1b91c6ade2dda7c

  • SHA1

    4906f7060ab6480b74f7595c35d980c6362fc5b2

  • SHA256

    8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4

  • SHA512

    0ad21960063804c974f09dc7043e9ed4f0769387bab72e391dc2d51ad0a01e385a5b00c6047ec9c7907023aebeb3d61b7725052c7d980a607e220222eb760d43

  • SSDEEP

    196608:j9MP1MAjVO50UX2gZ71Sh2c8YcGrDUHFy0L+jvKqivOt4AdomZ0p1lm2fB1p4oUg:j9MP1Q6F8RC8tQRiqcU4mzKp1E2fBS

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dnsali.3utilities.com:1604

Mutex

DC_MUTEX-S3VT824

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    aedfreoKqqaC

  • install

    true

  • offline_keylogger

    true

  • password

    12022005

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      DarkComet - v.5.3.1 FWB.exe

    • Size

      17.4MB

    • MD5

      c024f8b0b4261b9be1b91c6ade2dda7c

    • SHA1

      4906f7060ab6480b74f7595c35d980c6362fc5b2

    • SHA256

      8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4

    • SHA512

      0ad21960063804c974f09dc7043e9ed4f0769387bab72e391dc2d51ad0a01e385a5b00c6047ec9c7907023aebeb3d61b7725052c7d980a607e220222eb760d43

    • SSDEEP

      196608:j9MP1MAjVO50UX2gZ71Sh2c8YcGrDUHFy0L+jvKqivOt4AdomZ0p1lm2fB1p4oUg:j9MP1Q6F8RC8tQRiqcU4mzKp1E2fBS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks