General

  • Target

    2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96

  • Size

    658KB

  • Sample

    221123-s6kd8sdb72

  • MD5

    cf19f9462959aff7ccb2ad1dc9c120f4

  • SHA1

    8629f0bef6d30ac285a67b9abba6a3951668cb77

  • SHA256

    2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96

  • SHA512

    74906f232c1ff409ee839606f20292318d40a7819676558781be50f8c782d8295e3694f335310cdaf2b7bb4dd31979b345ff7d956342f627825304c1511804ce

  • SSDEEP

    12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h1:KZ1xuVVjfFoynPaVBUR8f+kN10EBH

Malware Config

Extracted

Family

darkcomet

Botnet

Roblox

C2

themarlborough.co.vu:13666

Mutex

DC_MUTEX-JNP1KZ5

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    6yMzjHHDLNnH

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96

    • Size

      658KB

    • MD5

      cf19f9462959aff7ccb2ad1dc9c120f4

    • SHA1

      8629f0bef6d30ac285a67b9abba6a3951668cb77

    • SHA256

      2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96

    • SHA512

      74906f232c1ff409ee839606f20292318d40a7819676558781be50f8c782d8295e3694f335310cdaf2b7bb4dd31979b345ff7d956342f627825304c1511804ce

    • SSDEEP

      12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h1:KZ1xuVVjfFoynPaVBUR8f+kN10EBH

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks