General

  • Target

    73078c58d3aef5c83895fb292b022f1f231316086ff36738b7544d53de6d2069

  • Size

    1.1MB

  • Sample

    221019-2hdffsbdgk

  • MD5

    91ee0282e9f410dd9252c1ad587754c0

  • SHA1

    5f4583af94866be0c47660648f886f13dc362166

  • SHA256

    73078c58d3aef5c83895fb292b022f1f231316086ff36738b7544d53de6d2069

  • SHA512

    cb9ecb97c77a9ffc02ff165ff2f9fd94192d47622c9b0b085929d4e4c87c64909c3a241092430329f0b72037f4239ad67c302f4b6709025db1df4b85303cfc43

  • SSDEEP

    24576:nTSwSWCpF7YXvPWLuXS/2457DUsOqdGXmh4ACL:nTSwSnppYfPw/pS5O2

Malware Config

Extracted

Family

darkcomet

Botnet

OrjiFresh

C2

192.111.149.142:200

Mutex

DC_MUTEX-EHWJ94V

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    seU988lBxdRw

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      73078c58d3aef5c83895fb292b022f1f231316086ff36738b7544d53de6d2069

    • Size

      1.1MB

    • MD5

      91ee0282e9f410dd9252c1ad587754c0

    • SHA1

      5f4583af94866be0c47660648f886f13dc362166

    • SHA256

      73078c58d3aef5c83895fb292b022f1f231316086ff36738b7544d53de6d2069

    • SHA512

      cb9ecb97c77a9ffc02ff165ff2f9fd94192d47622c9b0b085929d4e4c87c64909c3a241092430329f0b72037f4239ad67c302f4b6709025db1df4b85303cfc43

    • SSDEEP

      24576:nTSwSWCpF7YXvPWLuXS/2457DUsOqdGXmh4ACL:nTSwSnppYfPw/pS5O2

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks