General

  • Target

    ef7cf32c862faf37438a4498376c8949f8b40f14c09b97a4180baa4cde3b5d83

  • Size

    232KB

  • Sample

    221014-l2xqfaadd7

  • MD5

    72a69812baa0e85ea8946cc8ae39f230

  • SHA1

    53143da9081700f63da56db304367700cab880ee

  • SHA256

    ef7cf32c862faf37438a4498376c8949f8b40f14c09b97a4180baa4cde3b5d83

  • SHA512

    ff9d8dfe88902db7063db62705cb9c6215896c64b7671e35cea2d38bf6166150eac1bf704a1b7aa4d99bf416252f92f1aa09ae6292f53386bdf83249b8abd073

  • SSDEEP

    6144:ijFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMwXtIoS:iFy9bPQZlFjrG0ZmYbwlXtIoS

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-C0HKP9Q

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    TEe1dY1p2nrS

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    exasoft

Targets

    • Target

      ef7cf32c862faf37438a4498376c8949f8b40f14c09b97a4180baa4cde3b5d83

    • Size

      232KB

    • MD5

      72a69812baa0e85ea8946cc8ae39f230

    • SHA1

      53143da9081700f63da56db304367700cab880ee

    • SHA256

      ef7cf32c862faf37438a4498376c8949f8b40f14c09b97a4180baa4cde3b5d83

    • SHA512

      ff9d8dfe88902db7063db62705cb9c6215896c64b7671e35cea2d38bf6166150eac1bf704a1b7aa4d99bf416252f92f1aa09ae6292f53386bdf83249b8abd073

    • SSDEEP

      6144:ijFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMwXtIoS:iFy9bPQZlFjrG0ZmYbwlXtIoS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks