General

  • Target

    ee7fb70f89d6d03a7f1de965c0c5fbad8f94c851d13a7e227cff98213de505d5

  • Size

    758KB

  • Sample

    221123-nvjw4shg29

  • MD5

    2b23159b81ef1d242f48a258d7f7a301

  • SHA1

    51dd3880027e5a43e056e544adf838c73ebe2673

  • SHA256

    ee7fb70f89d6d03a7f1de965c0c5fbad8f94c851d13a7e227cff98213de505d5

  • SHA512

    8731b611679fa0fa6b55ac2e16554ab1b28eff45ffb6dfdea49054de8d25f88fde68852b237768be9c09e596c59292bca5bb6e412a029f1a5771d3dee8e17bc2

  • SSDEEP

    12288:ezSo9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hRX:EZ1xuVVjfFoynPaVBUR8f+kN10EBT

Malware Config

Extracted

Family

darkcomet

Botnet

Free Virus

C2

ziedje.no-ip.org:1604

Mutex

DC_MUTEX-C6XNY5V

Attributes
  • InstallPath

    Windowsdll32\wdll32.exe

  • gencode

    1UHPRJGrWnpA

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Windowsdll32

Targets

    • Target

      ee7fb70f89d6d03a7f1de965c0c5fbad8f94c851d13a7e227cff98213de505d5

    • Size

      758KB

    • MD5

      2b23159b81ef1d242f48a258d7f7a301

    • SHA1

      51dd3880027e5a43e056e544adf838c73ebe2673

    • SHA256

      ee7fb70f89d6d03a7f1de965c0c5fbad8f94c851d13a7e227cff98213de505d5

    • SHA512

      8731b611679fa0fa6b55ac2e16554ab1b28eff45ffb6dfdea49054de8d25f88fde68852b237768be9c09e596c59292bca5bb6e412a029f1a5771d3dee8e17bc2

    • SSDEEP

      12288:ezSo9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hRX:EZ1xuVVjfFoynPaVBUR8f+kN10EBT

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks