General

  • Target

    944ffe314b5646d086424ddc73157855aa47f93955aad19a774a9f79d574c45d

  • Size

    649KB

  • Sample

    221011-k98x1afgc7

  • MD5

    7cc43446a7c3b5b4d28f23b0d1173cc0

  • SHA1

    0f5ed1dad2915d5979b63548bad59065aac3e42a

  • SHA256

    944ffe314b5646d086424ddc73157855aa47f93955aad19a774a9f79d574c45d

  • SHA512

    2675d82cc6d5cb33846348caa9483e4a4dc8bd5e839ca5923d329e2f86091a635371d0547fcf786618a05577da8e085452f9999db73df9f38d61ca7c884266a3

  • SSDEEP

    12288:7k0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+s:w0QRWoJEfg0oChGdJQbjPbNW5tYeP+G5

Malware Config

Extracted

Family

darkcomet

Botnet

Rat

C2

bxf4.no-ip.biz:3074

Mutex

DCMIN_MUTEX-JQ1P8KN

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    0g1eJFgpg3x9

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    Updates

Targets

    • Target

      944ffe314b5646d086424ddc73157855aa47f93955aad19a774a9f79d574c45d

    • Size

      649KB

    • MD5

      7cc43446a7c3b5b4d28f23b0d1173cc0

    • SHA1

      0f5ed1dad2915d5979b63548bad59065aac3e42a

    • SHA256

      944ffe314b5646d086424ddc73157855aa47f93955aad19a774a9f79d574c45d

    • SHA512

      2675d82cc6d5cb33846348caa9483e4a4dc8bd5e839ca5923d329e2f86091a635371d0547fcf786618a05577da8e085452f9999db73df9f38d61ca7c884266a3

    • SSDEEP

      12288:7k0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+s:w0QRWoJEfg0oChGdJQbjPbNW5tYeP+G5

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks