General

  • Target

    fc19e6c67c655198981e72ec366a1ec7ef1e6898989763a9a5b64e0fa9d12575

  • Size

    1003KB

  • Sample

    221019-z1m2haghe6

  • MD5

    91b53ce7219a69a4e49086fad526e215

  • SHA1

    ef6f20371b97c8e85b713dc57b71b2347409ca87

  • SHA256

    fc19e6c67c655198981e72ec366a1ec7ef1e6898989763a9a5b64e0fa9d12575

  • SHA512

    9ecb6a71f511ec91b702e9f03e17cf04f2ebb1a243a72f0cf1b7e33515f233a4bb415120a3c2400f5579e8795fa9f85af58c06662e7bf77b68426cf380313eb4

  • SSDEEP

    24576:9KVwEGQXIi+Bp6YEDv4AjdGLXtHiL3qSX:IVwE3x+r6YK4AjdGRHat

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

sameg.no-ip.biz:1604

Mutex

DCMIN_MUTEX-HPKNNKB

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    FLtyyRlznqpT

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      fc19e6c67c655198981e72ec366a1ec7ef1e6898989763a9a5b64e0fa9d12575

    • Size

      1003KB

    • MD5

      91b53ce7219a69a4e49086fad526e215

    • SHA1

      ef6f20371b97c8e85b713dc57b71b2347409ca87

    • SHA256

      fc19e6c67c655198981e72ec366a1ec7ef1e6898989763a9a5b64e0fa9d12575

    • SHA512

      9ecb6a71f511ec91b702e9f03e17cf04f2ebb1a243a72f0cf1b7e33515f233a4bb415120a3c2400f5579e8795fa9f85af58c06662e7bf77b68426cf380313eb4

    • SSDEEP

      24576:9KVwEGQXIi+Bp6YEDv4AjdGLXtHiL3qSX:IVwE3x+r6YK4AjdGRHat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks