General

  • Target

    83a7f5dff75191313645cf4b5826b8f5e70cfae04b9cdc37f12ee94dfa714c13

  • Size

    896KB

  • Sample

    221014-l549paaeg6

  • MD5

    465cd7d12a6d172b5e63fb3d73dfeeee

  • SHA1

    2c2e806aee3159acfd50060c4480967dc4ea9ef9

  • SHA256

    83a7f5dff75191313645cf4b5826b8f5e70cfae04b9cdc37f12ee94dfa714c13

  • SHA512

    5eee4992caf7c3405f93b86ab5fadd2dcdaa59d2360f4cfe43a1d64c5241b978ec7d0205a68ab0f7f6cc2084226ec4b695e711608a10b585daccb792ad6b3977

  • SSDEEP

    24576:9m22dzbkoGp0bfLpE5/MccfwuwpnrgQaL:02ikCwnJ

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

r3dz80.no-ip.biz:1604

Mutex

DC_MUTEX-BLY4NYD

Attributes
  • InstallPath

    MSC\mscsc.exe

  • gencode

    CpD5oSVX2oqz

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    pdate

Targets

    • Target

      83a7f5dff75191313645cf4b5826b8f5e70cfae04b9cdc37f12ee94dfa714c13

    • Size

      896KB

    • MD5

      465cd7d12a6d172b5e63fb3d73dfeeee

    • SHA1

      2c2e806aee3159acfd50060c4480967dc4ea9ef9

    • SHA256

      83a7f5dff75191313645cf4b5826b8f5e70cfae04b9cdc37f12ee94dfa714c13

    • SHA512

      5eee4992caf7c3405f93b86ab5fadd2dcdaa59d2360f4cfe43a1d64c5241b978ec7d0205a68ab0f7f6cc2084226ec4b695e711608a10b585daccb792ad6b3977

    • SSDEEP

      24576:9m22dzbkoGp0bfLpE5/MccfwuwpnrgQaL:02ikCwnJ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks