General

  • Target

    3e307327c01476afdca19bca143008bd8b5349a34ebcce12399ab07bb27bc3f2

  • Size

    939KB

  • Sample

    221014-l2kqwaadc5

  • MD5

    68546f8bfc470bdd9af61c02f741bd00

  • SHA1

    3d0e794cbd018c7b4d04c2f3100d7038a0e56cf1

  • SHA256

    3e307327c01476afdca19bca143008bd8b5349a34ebcce12399ab07bb27bc3f2

  • SHA512

    b8f143810b0da2ee903ed2555f9bf21f3d2389b510ea862e9fcb1f8aff9990fc093e6047511059eb78836998b8d8f3963d1ab592cbf90fbbf20d1b1b8b93492d

  • SSDEEP

    24576:z9Pwdxc7hNBBIj2tEt7BtLL36TDRwqNPN3cmWGM:zOvKhNTKt7TL36TDRwIV3ct

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

undiscoveredl33ts.no-ip.biz:1604

undiscoveredl33ts.no-ip.biz:22

undiscoveredl33ts.no-ip.biz:200

undiscoveredl33ts.no-ip.biz:80

undiscoveredl33ts.no-ip.biz:135

undiscoveredl33ts.no-ip.biz:6372

undiscoveredl33ts.no-ip.biz:6373

undiscoveredl33ts.no-ip.biz:6374

undiscoveredl33ts.no-ip.biz:6375

undiscoveredl33ts.no-ip.biz:6376

undiscoveredl33ts.no-ip.biz:6377

undiscoveredl33ts.no-ip.biz:6378

undiscoveredl33ts.no-ip.biz:6379

undiscoveredl33ts.no-ip.biz:6380

undiscoveredl33ts.no-ip.biz:6381

undiscoveredl33ts.no-ip.biz:6382

undiscoveredl33ts.no-ip.biz:6383

undiscoveredl33ts.no-ip.biz:6384

undiscoveredl33ts.no-ip.biz:6385

undiscoveredl33ts.no-ip.biz:6386

Mutex

DC_MUTEX-GMSXAGT

Attributes
  • InstallPath

    msvc\msvcc.exe

  • gencode

    nP2GrKS79iHa

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    rundll32

Targets

    • Target

      3e307327c01476afdca19bca143008bd8b5349a34ebcce12399ab07bb27bc3f2

    • Size

      939KB

    • MD5

      68546f8bfc470bdd9af61c02f741bd00

    • SHA1

      3d0e794cbd018c7b4d04c2f3100d7038a0e56cf1

    • SHA256

      3e307327c01476afdca19bca143008bd8b5349a34ebcce12399ab07bb27bc3f2

    • SHA512

      b8f143810b0da2ee903ed2555f9bf21f3d2389b510ea862e9fcb1f8aff9990fc093e6047511059eb78836998b8d8f3963d1ab592cbf90fbbf20d1b1b8b93492d

    • SSDEEP

      24576:z9Pwdxc7hNBBIj2tEt7BtLL36TDRwqNPN3cmWGM:zOvKhNTKt7TL36TDRwIV3ct

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks