General

  • Target

    0d5eee7dbdb7d1f3d08852163cc48a21dce851d4e04e341166f7a2294344fa8b

  • Size

    658KB

  • Sample

    221011-k9ts3sfgb9

  • MD5

    717027a172645129c141ec16eaf8b1e0

  • SHA1

    4ee755232162bbe9f65c927aafd1f884f8802631

  • SHA256

    0d5eee7dbdb7d1f3d08852163cc48a21dce851d4e04e341166f7a2294344fa8b

  • SHA512

    d9c0e07ebca244103b1e1a36cf84f77f023dedbb879a052a5fedb0558cbe1d8c803182d58e39d7233b26448b982017f8cb308e197b7a9460c8dc94bdd1e52638

  • SSDEEP

    12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hL:KZ1xuVVjfFoynPaVBUR8f+kN10EB5

Malware Config

Extracted

Family

darkcomet

Botnet

server

C2

kasper-sky.no-ip.biz:1604

192.168.1.1:1604

Mutex

DC_MUTEX-2L2NTTQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    W8n2KfdYAzoQ

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      0d5eee7dbdb7d1f3d08852163cc48a21dce851d4e04e341166f7a2294344fa8b

    • Size

      658KB

    • MD5

      717027a172645129c141ec16eaf8b1e0

    • SHA1

      4ee755232162bbe9f65c927aafd1f884f8802631

    • SHA256

      0d5eee7dbdb7d1f3d08852163cc48a21dce851d4e04e341166f7a2294344fa8b

    • SHA512

      d9c0e07ebca244103b1e1a36cf84f77f023dedbb879a052a5fedb0558cbe1d8c803182d58e39d7233b26448b982017f8cb308e197b7a9460c8dc94bdd1e52638

    • SSDEEP

      12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hL:KZ1xuVVjfFoynPaVBUR8f+kN10EB5

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks