General

  • Target

    6f9058fdd24e2a047a10683b70c6533f503580310540e9081a5f54d16bba6e85

  • Size

    658KB

  • Sample

    221011-k9hqtafga7

  • MD5

    66ba2f7d05cb1a776656ed5e4c2af3e0

  • SHA1

    416963f6e3f2638f90bc167b5240715722bae588

  • SHA256

    6f9058fdd24e2a047a10683b70c6533f503580310540e9081a5f54d16bba6e85

  • SHA512

    93e52520a6c6823dcadce673f575066f51a21c8e5c5ad2f24cd1d83bfd65db2118b5d26364249d7a836f65e61d61c3094b05b623261d544ef435cb661da1f79d

  • SSDEEP

    12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hO:+Z1xuVVjfFoynPaVBUR8f+kN10EBY

Malware Config

Extracted

Family

darkcomet

Botnet

Gu954

C2

loka2014.no-ip.biz:1604

Mutex

DCMIN_MUTEX-ASAF0Z7

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    p1ZW1rDFH6dl

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      6f9058fdd24e2a047a10683b70c6533f503580310540e9081a5f54d16bba6e85

    • Size

      658KB

    • MD5

      66ba2f7d05cb1a776656ed5e4c2af3e0

    • SHA1

      416963f6e3f2638f90bc167b5240715722bae588

    • SHA256

      6f9058fdd24e2a047a10683b70c6533f503580310540e9081a5f54d16bba6e85

    • SHA512

      93e52520a6c6823dcadce673f575066f51a21c8e5c5ad2f24cd1d83bfd65db2118b5d26364249d7a836f65e61d61c3094b05b623261d544ef435cb661da1f79d

    • SSDEEP

      12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hO:+Z1xuVVjfFoynPaVBUR8f+kN10EBY

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks