General

  • Target

    245c324dc606d05bd556cbd65e18237cad79e82206fa080959ccced5a8082651

  • Size

    232KB

  • Sample

    221014-l22dmaade3

  • MD5

    4476168a370bc5887b21c0fa4c0c6d90

  • SHA1

    55bdc22e3dc6a7843a8d2f6f9af426ee5ee0a8e3

  • SHA256

    245c324dc606d05bd556cbd65e18237cad79e82206fa080959ccced5a8082651

  • SHA512

    40d53217eb9ac2cc664b58e006a26d562f4fbb4b0851d0f646dd6f34b63451eebe23eab818b8e1f6bbbc4a2078f173bea5d11ac8f32d308a458e74c8bb0559d0

  • SSDEEP

    6144:JjFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMToS:VFy9bPQZlFjrG0ZmYbwSoS

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

85.151.77.135:2042

Mutex

DCMIN_MUTEX-JXAL8YV

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    rv8TypgSw9eL

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    Google

Targets

    • Target

      245c324dc606d05bd556cbd65e18237cad79e82206fa080959ccced5a8082651

    • Size

      232KB

    • MD5

      4476168a370bc5887b21c0fa4c0c6d90

    • SHA1

      55bdc22e3dc6a7843a8d2f6f9af426ee5ee0a8e3

    • SHA256

      245c324dc606d05bd556cbd65e18237cad79e82206fa080959ccced5a8082651

    • SHA512

      40d53217eb9ac2cc664b58e006a26d562f4fbb4b0851d0f646dd6f34b63451eebe23eab818b8e1f6bbbc4a2078f173bea5d11ac8f32d308a458e74c8bb0559d0

    • SSDEEP

      6144:JjFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMToS:VFy9bPQZlFjrG0ZmYbwSoS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks