General

  • Target

    d3f43c6f76107610cf30b0ef751cd5743cd05bb42f182f5933ac58cf08e63090

  • Size

    232KB

  • Sample

    221011-lasx6sfge3

  • MD5

    6518355730fc5451e1282980c71e2c20

  • SHA1

    4279b8fd805980a202abefaf39cdc068f88a0570

  • SHA256

    d3f43c6f76107610cf30b0ef751cd5743cd05bb42f182f5933ac58cf08e63090

  • SHA512

    1cced1364496f8c4f7eaced73e53ee0ce941225b0f4827a4e7e5e4359cb38c32838bfd7312388c00ccfff48256b4ac49ac0c66d79c1ef15d48cd6c04edb2f21a

  • SSDEEP

    6144:HjFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMyDoS:DFy9bPQZlFjrG0ZmYbwvoS

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

aazzeezz.no-ip.biz:1604

Mutex

DCMIN_MUTEX-ZL27BN5

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    WyaQPspYwvik

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      d3f43c6f76107610cf30b0ef751cd5743cd05bb42f182f5933ac58cf08e63090

    • Size

      232KB

    • MD5

      6518355730fc5451e1282980c71e2c20

    • SHA1

      4279b8fd805980a202abefaf39cdc068f88a0570

    • SHA256

      d3f43c6f76107610cf30b0ef751cd5743cd05bb42f182f5933ac58cf08e63090

    • SHA512

      1cced1364496f8c4f7eaced73e53ee0ce941225b0f4827a4e7e5e4359cb38c32838bfd7312388c00ccfff48256b4ac49ac0c66d79c1ef15d48cd6c04edb2f21a

    • SSDEEP

      6144:HjFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMyDoS:DFy9bPQZlFjrG0ZmYbwvoS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks