General

  • Target

    2686156cac511e276a916e343eb5b8207ac0d9e31f852a56a92f4c9a27c5d6ad

  • Size

    403KB

  • Sample

    221019-3a5emscgdn

  • MD5

    92485009de165746dd961984d3df6d10

  • SHA1

    3ccc52c61f50994d48d6544e7d1d186cfbde2795

  • SHA256

    2686156cac511e276a916e343eb5b8207ac0d9e31f852a56a92f4c9a27c5d6ad

  • SHA512

    c1beec94cb75e3ec97afd7c94a6abe1793a664aa5d8d1542459852c9208b793cd8b68ce43ee3604a6ab52f8070d2082ca4834d8c0787f90203a8b6da95c3c1d4

  • SSDEEP

    12288:jZIRXnHrXVHf27amyO35CoXkRDqw2ydy:jmnHrXV/osOJCo0RGwx

Malware Config

Extracted

Family

darkcomet

Botnet

Data(17.5)

C2

87.106.76.212:8080

likelike.no-ip.org:8080

kondoor.no-ip.org:8080

Mutex

DC_MUTEX-PCS0384

Attributes
  • InstallPath

    Win\tashkost.exe

  • gencode

    AJodwGWgqQNX

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Microsoft Windows Update

Targets

    • Target

      2686156cac511e276a916e343eb5b8207ac0d9e31f852a56a92f4c9a27c5d6ad

    • Size

      403KB

    • MD5

      92485009de165746dd961984d3df6d10

    • SHA1

      3ccc52c61f50994d48d6544e7d1d186cfbde2795

    • SHA256

      2686156cac511e276a916e343eb5b8207ac0d9e31f852a56a92f4c9a27c5d6ad

    • SHA512

      c1beec94cb75e3ec97afd7c94a6abe1793a664aa5d8d1542459852c9208b793cd8b68ce43ee3604a6ab52f8070d2082ca4834d8c0787f90203a8b6da95c3c1d4

    • SSDEEP

      12288:jZIRXnHrXVHf27amyO35CoXkRDqw2ydy:jmnHrXV/osOJCo0RGwx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks