General

  • Target

    9d1352ff3831f02eb5d2256eceabf9e909224b93e94b81cc65232e9612e76e22

  • Size

    407KB

  • Sample

    221019-115rzsaeh7

  • MD5

    9103158e969dbdf5ca2412290234eb50

  • SHA1

    716c8920b5e3b3078f523d46a1dfe30aebf65a82

  • SHA256

    9d1352ff3831f02eb5d2256eceabf9e909224b93e94b81cc65232e9612e76e22

  • SHA512

    24f3e908af8454b3592309c0ee46001bab2e9223733c3c6b31ac24e749c5c2c4bd4eb857d5d529a329f3f2d24fe03dfa87cf5cc3e43523e989a4d892c645c3c2

  • SSDEEP

    12288:wUABeRfJOWhb/JedZQUOjfjyB8ewNtkMqJIFB:CBeRfsYJiZujjGfQtkMqu

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

alex234.no-ip.biz:1604

Mutex

DC_MUTEX-SC6F7JV

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    w7irGWwDJFDY

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      9d1352ff3831f02eb5d2256eceabf9e909224b93e94b81cc65232e9612e76e22

    • Size

      407KB

    • MD5

      9103158e969dbdf5ca2412290234eb50

    • SHA1

      716c8920b5e3b3078f523d46a1dfe30aebf65a82

    • SHA256

      9d1352ff3831f02eb5d2256eceabf9e909224b93e94b81cc65232e9612e76e22

    • SHA512

      24f3e908af8454b3592309c0ee46001bab2e9223733c3c6b31ac24e749c5c2c4bd4eb857d5d529a329f3f2d24fe03dfa87cf5cc3e43523e989a4d892c645c3c2

    • SSDEEP

      12288:wUABeRfJOWhb/JedZQUOjfjyB8ewNtkMqJIFB:CBeRfsYJiZujjGfQtkMqu

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks