General
-
Target
f1fa800064c2f4c54c5aa1774e86c28be350e5d672799e8d0021aaac0bad7d27
-
Size
711KB
-
Sample
221123-3rce7ada93
-
MD5
5425aa433b171f27078fd4ca10498bb0
-
SHA1
7c639d1bd900ec6fceb4cdb0840940d2296e5da4
-
SHA256
f1fa800064c2f4c54c5aa1774e86c28be350e5d672799e8d0021aaac0bad7d27
-
SHA512
f69c1b1c22eb1d801b65b97fb4f2efd82859016da29ec778f589c01452325923bbafc89a8cf39c0f71896d752d0f3fccc778ef6428d50357e7263c983c54f366
-
SSDEEP
12288:Z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hx:jZ1xuVVjfFoynPaVBUR8f+kN10EB
Malware Config
Extracted
darkcomet
Tokz
tokz.no-ip.biz:2222
DC_MUTEX-4B0ARLJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
YbmqwQq9HGK0
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
rundl32
Targets
-
-
Target
f1fa800064c2f4c54c5aa1774e86c28be350e5d672799e8d0021aaac0bad7d27
-
Size
711KB
-
MD5
5425aa433b171f27078fd4ca10498bb0
-
SHA1
7c639d1bd900ec6fceb4cdb0840940d2296e5da4
-
SHA256
f1fa800064c2f4c54c5aa1774e86c28be350e5d672799e8d0021aaac0bad7d27
-
SHA512
f69c1b1c22eb1d801b65b97fb4f2efd82859016da29ec778f589c01452325923bbafc89a8cf39c0f71896d752d0f3fccc778ef6428d50357e7263c983c54f366
-
SSDEEP
12288:Z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hx:jZ1xuVVjfFoynPaVBUR8f+kN10EB
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-