General

  • Target

    53088007e7fc6b99d0360c11271a93c30ec0027702295510a2ff678bd6c23eae

  • Size

    658KB

  • Sample

    221011-k9kv6sfgb2

  • MD5

    7c875df6ebb540e41e086be9d5974ca0

  • SHA1

    33558cb8b6431cb52d6ff668972a73193c4e736f

  • SHA256

    53088007e7fc6b99d0360c11271a93c30ec0027702295510a2ff678bd6c23eae

  • SHA512

    5b80526affb94975208dcde9613d252cc704b279ec1d045e69a142569ada693a1e07b3ad84ae09b9002fc672fbfd50e119aedfff6604b02aa378d888f9aebd3a

  • SSDEEP

    12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hj:KZ1xuVVjfFoynPaVBUR8f+kN10EBV

Malware Config

Extracted

Family

darkcomet

Botnet

SAM

C2

test83.no-ip.org:81

Mutex

DC_MUTEX-MZFNFBS

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    BCiSTmz7anRH

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      53088007e7fc6b99d0360c11271a93c30ec0027702295510a2ff678bd6c23eae

    • Size

      658KB

    • MD5

      7c875df6ebb540e41e086be9d5974ca0

    • SHA1

      33558cb8b6431cb52d6ff668972a73193c4e736f

    • SHA256

      53088007e7fc6b99d0360c11271a93c30ec0027702295510a2ff678bd6c23eae

    • SHA512

      5b80526affb94975208dcde9613d252cc704b279ec1d045e69a142569ada693a1e07b3ad84ae09b9002fc672fbfd50e119aedfff6604b02aa378d888f9aebd3a

    • SSDEEP

      12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hj:KZ1xuVVjfFoynPaVBUR8f+kN10EBV

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks