General

  • Target

    78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

  • Size

    756KB

  • Sample

    221123-s6dxfsdb63

  • MD5

    90a107c3d53c5cbecd748bce9005add6

  • SHA1

    1a8ad010c53cd75af7d42cd22b90075d14e4842c

  • SHA256

    78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

  • SHA512

    9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

  • SSDEEP

    12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hG:eZ1xuVVjfFoynPaVBUR8f+kN10EBg

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jonas24.no-ip.biz:1630

Mutex

DC_MUTEX-FYQ3L58

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oVsFPxtqM18C

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

    • Size

      756KB

    • MD5

      90a107c3d53c5cbecd748bce9005add6

    • SHA1

      1a8ad010c53cd75af7d42cd22b90075d14e4842c

    • SHA256

      78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

    • SHA512

      9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

    • SSDEEP

      12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hG:eZ1xuVVjfFoynPaVBUR8f+kN10EBg

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks