General

  • Target

    4cb04dfa520368d7ac2bc38299413732a2add3c9ccf3c0e8dc13d34e34d1f308

  • Size

    796KB

  • Sample

    221019-2xhnqacbak

  • MD5

    a0bddae9a30d20a701e5468f89a5cd50

  • SHA1

    80b2879a041517f020ce00c12e573e7e43800a21

  • SHA256

    4cb04dfa520368d7ac2bc38299413732a2add3c9ccf3c0e8dc13d34e34d1f308

  • SHA512

    d09c8d3448e3314b2a73de7e6f2c34fefc67ae3d3ab6d570cf52a0b658a37352982cdf8297380a13add9688dc21e683811855e8c3d39bbf3f98985dba3c78727

  • SSDEEP

    12288:VvU7tgg7dA27kG1WTJB96bWcopBbXykP46SYGGqIFItCInTQ54:VvUyg7dAIWTJB9Rcyjfd92t+a

Malware Config

Extracted

Family

darkcomet

Botnet

w_w

C2

ser.myftp.org:81

Mutex

DC_MUTEX-JJ9U0DK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    TLPAVPd49pbn

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicrosoftUpdate

Targets

    • Target

      4cb04dfa520368d7ac2bc38299413732a2add3c9ccf3c0e8dc13d34e34d1f308

    • Size

      796KB

    • MD5

      a0bddae9a30d20a701e5468f89a5cd50

    • SHA1

      80b2879a041517f020ce00c12e573e7e43800a21

    • SHA256

      4cb04dfa520368d7ac2bc38299413732a2add3c9ccf3c0e8dc13d34e34d1f308

    • SHA512

      d09c8d3448e3314b2a73de7e6f2c34fefc67ae3d3ab6d570cf52a0b658a37352982cdf8297380a13add9688dc21e683811855e8c3d39bbf3f98985dba3c78727

    • SSDEEP

      12288:VvU7tgg7dA27kG1WTJB96bWcopBbXykP46SYGGqIFItCInTQ54:VvUyg7dAIWTJB9Rcyjfd92t+a

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modifies WinLogon for persistence

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks