General

  • Target

    543394da5acf56888658750e042d9131faf12f02bb7818fbb342e257ab8882c2

  • Size

    541KB

  • Sample

    221019-2tta2sbhhj

  • MD5

    8289386cad8460ee2d0df5cb19c61e70

  • SHA1

    87477deed0def74b695f9f3d95e403ecfa4a78d1

  • SHA256

    543394da5acf56888658750e042d9131faf12f02bb7818fbb342e257ab8882c2

  • SHA512

    45775e66a586660c1284a53266fbd287fa4440926d84b6bf1f9ba5d9c68744e8e6d7d514eb6682667da6ce72c8e794122321ca1bdf8cc1f329d26fa814cef931

  • SSDEEP

    12288:+r6ZCnsmTcLYHuBQq191YaltymewkwWoOVU8bdyy:+WZChhHQV91hpBWo8b

Malware Config

Extracted

Family

darkcomet

Botnet

apexdc

C2

worm-core.serveftp.com:1604

Mutex

DC_MUTEX-WJ05YVG

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    iXpSTCMphowF

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Windows Update

Targets

    • Target

      543394da5acf56888658750e042d9131faf12f02bb7818fbb342e257ab8882c2

    • Size

      541KB

    • MD5

      8289386cad8460ee2d0df5cb19c61e70

    • SHA1

      87477deed0def74b695f9f3d95e403ecfa4a78d1

    • SHA256

      543394da5acf56888658750e042d9131faf12f02bb7818fbb342e257ab8882c2

    • SHA512

      45775e66a586660c1284a53266fbd287fa4440926d84b6bf1f9ba5d9c68744e8e6d7d514eb6682667da6ce72c8e794122321ca1bdf8cc1f329d26fa814cef931

    • SSDEEP

      12288:+r6ZCnsmTcLYHuBQq191YaltymewkwWoOVU8bdyy:+WZChhHQV91hpBWo8b

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks