General

  • Target

    eb2558f1d6f10f2731bd6fad365072708dfb5a7aa8f5df509205230678b419a0

  • Size

    658KB

  • Sample

    221018-yrczhaeaek

  • MD5

    81bda7575d642a04b6f292f00084f4e9

  • SHA1

    4c86d49c57459f59df22e300d74e2e63ac7b4f76

  • SHA256

    eb2558f1d6f10f2731bd6fad365072708dfb5a7aa8f5df509205230678b419a0

  • SHA512

    390375c1deb1277a6b1f12ee2ab0a73d7eccc322ef3d2b5a8cca89a42ec7b68f203c1107b99b3c6fcfe2c23b0019694f0ac3d878e237c198bc17184a22f22c89

  • SSDEEP

    12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hX:eZ1xuVVjfFoynPaVBUR8f+kN10EBp

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

xmarvel.ddns.net:1604

Mutex

DCMIN_MUTEX-YU7TUH7

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    XKwYeofo54nG

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      eb2558f1d6f10f2731bd6fad365072708dfb5a7aa8f5df509205230678b419a0

    • Size

      658KB

    • MD5

      81bda7575d642a04b6f292f00084f4e9

    • SHA1

      4c86d49c57459f59df22e300d74e2e63ac7b4f76

    • SHA256

      eb2558f1d6f10f2731bd6fad365072708dfb5a7aa8f5df509205230678b419a0

    • SHA512

      390375c1deb1277a6b1f12ee2ab0a73d7eccc322ef3d2b5a8cca89a42ec7b68f203c1107b99b3c6fcfe2c23b0019694f0ac3d878e237c198bc17184a22f22c89

    • SSDEEP

      12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hX:eZ1xuVVjfFoynPaVBUR8f+kN10EBp

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks