General

  • Target

    579d9d9ae7f49e2a0cd43e61d65f89b2ebe2026097c2c4d378d569d10867ded5

  • Size

    480KB

  • Sample

    221014-l2tzjsadd5

  • MD5

    6d2ef4155874c6331e50b3c7f2b39110

  • SHA1

    3508f3309f24d1f42f0b112972040245e36c02cc

  • SHA256

    579d9d9ae7f49e2a0cd43e61d65f89b2ebe2026097c2c4d378d569d10867ded5

  • SHA512

    7340a3d319e79a5659cd3aeae5069926fb10cfc071bd73a7010509a918e1d18c590b1a1d8da197198d0295e2fa76dea66e6e4ad5767d423388cbd0d52c133c56

  • SSDEEP

    12288:CRFj6MvPNFJv6NSd4NxcxzqX+Wub1WTxcpfAt1SZILqa5x:NMNFpRdocxzqX61V/wqOx

Malware Config

Extracted

Family

darkcomet

Botnet

Gæst-1

C2

spicial-k.no-ip.biz:1604

Mutex

DC_MUTEX-MEGHSPW

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    tWYZrC7zPWjY

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      579d9d9ae7f49e2a0cd43e61d65f89b2ebe2026097c2c4d378d569d10867ded5

    • Size

      480KB

    • MD5

      6d2ef4155874c6331e50b3c7f2b39110

    • SHA1

      3508f3309f24d1f42f0b112972040245e36c02cc

    • SHA256

      579d9d9ae7f49e2a0cd43e61d65f89b2ebe2026097c2c4d378d569d10867ded5

    • SHA512

      7340a3d319e79a5659cd3aeae5069926fb10cfc071bd73a7010509a918e1d18c590b1a1d8da197198d0295e2fa76dea66e6e4ad5767d423388cbd0d52c133c56

    • SSDEEP

      12288:CRFj6MvPNFJv6NSd4NxcxzqX+Wub1WTxcpfAt1SZILqa5x:NMNFpRdocxzqX61V/wqOx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modifies WinLogon for persistence

    • ModiLoader Second Stage

    • Molebox Virtualization software

      Detects file using Molebox Virtualization software.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks