General

  • Target

    894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

  • Size

    1.4MB

  • Sample

    221123-q16zyaad9t

  • MD5

    60a9c28e01b11254b21a765021a5c047

  • SHA1

    6b070320d8fd5f062884ff97d6fa0914c25ca497

  • SHA256

    894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

  • SHA512

    65b1d35ee737fb86f61632ec9411927cd693ea74d51aa3db2aa2048ec9924ca96d2c4f58f86c79b8a309a3345ab251c8c26ae37473ae9636ba52488c97cc9be9

  • SSDEEP

    12288:EmG3KzGqLHIZ9wivE7hBeZ7AJhVGAQhHPq3Ycat4WUujROpDdn6mh/k+lNhI2r:bG65IZ9wivgBetuGAQhvcWLgCmFkcLr

Malware Config

Extracted

Family

darkcomet

Botnet

WIRE

C2

munachim.linkpc.net:1605

Mutex

DCMIN_MUTEX-MSP77U0

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    mor58pndC03T

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

    • Size

      1.4MB

    • MD5

      60a9c28e01b11254b21a765021a5c047

    • SHA1

      6b070320d8fd5f062884ff97d6fa0914c25ca497

    • SHA256

      894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

    • SHA512

      65b1d35ee737fb86f61632ec9411927cd693ea74d51aa3db2aa2048ec9924ca96d2c4f58f86c79b8a309a3345ab251c8c26ae37473ae9636ba52488c97cc9be9

    • SSDEEP

      12288:EmG3KzGqLHIZ9wivE7hBeZ7AJhVGAQhHPq3Ycat4WUujROpDdn6mh/k+lNhI2r:bG65IZ9wivgBetuGAQhvcWLgCmFkcLr

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks