General
-
Target
ecfc92ada01f5a9b9634942262a105b431d5b3ca764d1dd640d1b68a3dd95227
-
Size
514KB
-
Sample
221122-yyagysba4w
-
MD5
ed58e3672faedbd190ed17887a4fe799
-
SHA1
f89497a9a9ab579d590b3e382617cc332127057c
-
SHA256
ecfc92ada01f5a9b9634942262a105b431d5b3ca764d1dd640d1b68a3dd95227
-
SHA512
532ea90f219ae2e1cb5dbb8be362775c615d100ea7387cf66b599b729e2a7b4f89f74a822aec9f265ef535911c2dd2b4ba2c4810fa4fe9ae89c2ccb5e2fe1623
-
SSDEEP
6144:83337g6biIHYuw6mhDpp5KeWZ7PO0i6wfrzhO7zFS79i+wno61KRydRJf7TiRAoR:s337g5AAEFfiFxSQM+F61UyNSmoKSf5
Malware Config
Extracted
darkcomet
XXxxXX
microsoft32.redirectme.net:800
microsoft32.redirectme.net:1995
DC_MUTEX-E5QDVP0
-
InstallPath
MSDCSC\sqlwow.exe
-
gencode
EHNHlgelU314
-
install
true
-
offline_keylogger
true
-
password
0123456789
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
ecfc92ada01f5a9b9634942262a105b431d5b3ca764d1dd640d1b68a3dd95227
-
Size
514KB
-
MD5
ed58e3672faedbd190ed17887a4fe799
-
SHA1
f89497a9a9ab579d590b3e382617cc332127057c
-
SHA256
ecfc92ada01f5a9b9634942262a105b431d5b3ca764d1dd640d1b68a3dd95227
-
SHA512
532ea90f219ae2e1cb5dbb8be362775c615d100ea7387cf66b599b729e2a7b4f89f74a822aec9f265ef535911c2dd2b4ba2c4810fa4fe9ae89c2ccb5e2fe1623
-
SSDEEP
6144:83337g6biIHYuw6mhDpp5KeWZ7PO0i6wfrzhO7zFS79i+wno61KRydRJf7TiRAoR:s337g5AAEFfiFxSQM+F61UyNSmoKSf5
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-