General

  • Target

    f5fe87ddee0e06b3664dfe3ceab39b0fa75000f42cd332aa10e4cd05ff28b663

  • Size

    1000KB

  • Sample

    221123-l11qpsgb7z

  • MD5

    99e18037d98721d5e0d35baecd49703d

  • SHA1

    0454cbec544a1580f7e828fed85beadf31c35e42

  • SHA256

    f5fe87ddee0e06b3664dfe3ceab39b0fa75000f42cd332aa10e4cd05ff28b663

  • SHA512

    0fe5551991981e0235b8c6962f3ea10563ad8eb8e46c83360c402a3313f61890f22e9e25de0d681514ad186b05af1fea90337fbbd9b5f3580f05ae6cf10aaf71

  • SSDEEP

    24576:aOXyYVWHpI+GXEtIj1OMh2GIk0E3PWhGcOkuvQTL:af7pI+1q3h1PWhGcOkS

Malware Config

Extracted

Family

darkcomet

Botnet

RuneScape AIO Toolkit 2012

C2

121.221.226.5:1708

Mutex

DC_MUTEX-5D4MFMH

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    xrFcsHGVyoGT

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      f5fe87ddee0e06b3664dfe3ceab39b0fa75000f42cd332aa10e4cd05ff28b663

    • Size

      1000KB

    • MD5

      99e18037d98721d5e0d35baecd49703d

    • SHA1

      0454cbec544a1580f7e828fed85beadf31c35e42

    • SHA256

      f5fe87ddee0e06b3664dfe3ceab39b0fa75000f42cd332aa10e4cd05ff28b663

    • SHA512

      0fe5551991981e0235b8c6962f3ea10563ad8eb8e46c83360c402a3313f61890f22e9e25de0d681514ad186b05af1fea90337fbbd9b5f3580f05ae6cf10aaf71

    • SSDEEP

      24576:aOXyYVWHpI+GXEtIj1OMh2GIk0E3PWhGcOkuvQTL:af7pI+1q3h1PWhGcOkS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks