General

  • Target

    edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

  • Size

    772KB

  • Sample

    221019-z7ghashbfm

  • MD5

    a1613b044cd3b96c095bb159d974fdd0

  • SHA1

    a00a19578d0ce9b20c41b286710ea23119c73dd5

  • SHA256

    edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

  • SHA512

    8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

  • SSDEEP

    12288:2aQX8+MJfkLHpEs4HUY7jYrFOzUnEPO4hYMaEw8HEPvoSrtrcL0Sn39K8AhHCBw:hQX8idEsSlzUnEPOc/wyEPTBc344

Malware Config

Extracted

Family

darkcomet

Botnet

Guest

C2

poorme.no-ip.biz:2000

Mutex

DC_MUTEX-V7D2UFA

Attributes
  • InstallPath

    MSDCSC\Nod32.exe

  • gencode

    1DkFyWqFtAml

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    cmD

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Targets

    • Target

      edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

    • Size

      772KB

    • MD5

      a1613b044cd3b96c095bb159d974fdd0

    • SHA1

      a00a19578d0ce9b20c41b286710ea23119c73dd5

    • SHA256

      edc3059056a17d92764fe565ba27ab6b03ea9a9e9d31eddc74b19893526f394d

    • SHA512

      8271a6d7523f8ab73e41d9beae3cef90aeb17c5be12f8f85a5505acd4ddc70d5a1496481a231dc213bacb2d6b3c5a7e39d5e50009ed8529468cd37e3fde71a0d

    • SSDEEP

      12288:2aQX8+MJfkLHpEs4HUY7jYrFOzUnEPO4hYMaEw8HEPvoSrtrcL0Sn39K8AhHCBw:hQX8idEsSlzUnEPOc/wyEPTBc344

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks