General

  • Target

    5222326a77897dfe193608b034f8194317c6c55dc4ae4344b034f1c7bd7e5f12

  • Size

    398KB

  • Sample

    221019-2vh7gabhe2

  • MD5

    922217c73db3cedb750ae07995ffbc4f

  • SHA1

    08b31cb1d7ce2f739bf272f70dc90e00d598e427

  • SHA256

    5222326a77897dfe193608b034f8194317c6c55dc4ae4344b034f1c7bd7e5f12

  • SHA512

    3549fc8e9dfb42e5956c902c7a29774eb1a58d73d1273996c3b403df9d7600333c643fde18799436f8346b98c3c5adcdf8fd6ceea0ca2510441242bc3faa2937

  • SSDEEP

    6144:h45diWUQUuvsMH9S3thuiIE4Hmmi0ZQ6JxRZGRHVOLIN:2quvZ9IjO3RUY

Malware Config

Extracted

Family

darkcomet

Botnet

CS6-07/26

C2

x631.zapto.org:3404

Mutex

DC_MUTEX-HAXYN30

Attributes
  • gencode

    UVY1PuB8Wqid

  • install

    false

  • offline_keylogger

    true

  • password

    59_x631_PMr

  • persistence

    false

Targets

    • Target

      5222326a77897dfe193608b034f8194317c6c55dc4ae4344b034f1c7bd7e5f12

    • Size

      398KB

    • MD5

      922217c73db3cedb750ae07995ffbc4f

    • SHA1

      08b31cb1d7ce2f739bf272f70dc90e00d598e427

    • SHA256

      5222326a77897dfe193608b034f8194317c6c55dc4ae4344b034f1c7bd7e5f12

    • SHA512

      3549fc8e9dfb42e5956c902c7a29774eb1a58d73d1273996c3b403df9d7600333c643fde18799436f8346b98c3c5adcdf8fd6ceea0ca2510441242bc3faa2937

    • SSDEEP

      6144:h45diWUQUuvsMH9S3thuiIE4Hmmi0ZQ6JxRZGRHVOLIN:2quvZ9IjO3RUY

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks