General

  • Target

    844d33b194e5882d9bb2525b80c8fc33bd7f90bc57eb57f505955367c87b443d

  • Size

    251KB

  • Sample

    221014-l21r4aade2

  • MD5

    6d89f17a93725147c6f613ff4efcb340

  • SHA1

    d66e284e78c103aaa5829b581c8b348486a4b8e3

  • SHA256

    844d33b194e5882d9bb2525b80c8fc33bd7f90bc57eb57f505955367c87b443d

  • SHA512

    5e30d4707d489fb21a42b1c93238e4ad99cf372f15041b2bb1da312111f3565aa390be2e77e02e1485ff48492e33da57988d663625265b3762a464db467a169c

  • SSDEEP

    6144:ccNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL377:ccW7KEZlPzCy377

Malware Config

Extracted

Family

darkcomet

Botnet

not a rat

C2

konedriver.zapto.org:3333

Mutex

DC_MUTEX-Y5E8LB3

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    xWrcEfHfZmbo

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      844d33b194e5882d9bb2525b80c8fc33bd7f90bc57eb57f505955367c87b443d

    • Size

      251KB

    • MD5

      6d89f17a93725147c6f613ff4efcb340

    • SHA1

      d66e284e78c103aaa5829b581c8b348486a4b8e3

    • SHA256

      844d33b194e5882d9bb2525b80c8fc33bd7f90bc57eb57f505955367c87b443d

    • SHA512

      5e30d4707d489fb21a42b1c93238e4ad99cf372f15041b2bb1da312111f3565aa390be2e77e02e1485ff48492e33da57988d663625265b3762a464db467a169c

    • SSDEEP

      6144:ccNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL377:ccW7KEZlPzCy377

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks