General

  • Target

    802bab90c9cf8ae6af2bdecafad3f703b1f4f43ee6637fa89311c1196535284a

  • Size

    340KB

  • Sample

    221011-k9f7zsfga4

  • MD5

    68fac5d1833e4398760285310aa1ad70

  • SHA1

    2cbc1c53898adee768103477a92431bf6b188df9

  • SHA256

    802bab90c9cf8ae6af2bdecafad3f703b1f4f43ee6637fa89311c1196535284a

  • SHA512

    30a80fd01003d0fa2f2601afddc69b05c25eaa856525f72055b663fc8dd1fd6d1129f4d4de1daa248a564632fdc95244e35c276f6bbf22b69852be1da2e750f5

  • SSDEEP

    6144:O4D5rBufqRqgoCUKLKMgpZbSviaWEdgXLSQH0D3f6dywkp/XoBDw7TvwlDa:RD5pq7zMgpdYaEda30DP6dKoBDeGD

Malware Config

Extracted

Family

darkcomet

Botnet

Guest

C2

192.168.1.2:1605

mydcrat.no-ip.org:1605

89.123.179.240:1605

Mutex

DC_MUTEX-G19MRST

Attributes
  • InstallPath

    Update\Installer.exe

  • gencode

    gfW7XqTSi44u

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Update

Targets

    • Target

      802bab90c9cf8ae6af2bdecafad3f703b1f4f43ee6637fa89311c1196535284a

    • Size

      340KB

    • MD5

      68fac5d1833e4398760285310aa1ad70

    • SHA1

      2cbc1c53898adee768103477a92431bf6b188df9

    • SHA256

      802bab90c9cf8ae6af2bdecafad3f703b1f4f43ee6637fa89311c1196535284a

    • SHA512

      30a80fd01003d0fa2f2601afddc69b05c25eaa856525f72055b663fc8dd1fd6d1129f4d4de1daa248a564632fdc95244e35c276f6bbf22b69852be1da2e750f5

    • SSDEEP

      6144:O4D5rBufqRqgoCUKLKMgpZbSviaWEdgXLSQH0D3f6dywkp/XoBDw7TvwlDa:RD5pq7zMgpdYaEda30DP6dKoBDeGD

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks