General

  • Target

    73e3f5f3a5eb61b033ab5ebe7aa3f748947ec628cbb73a14d149ee601961d6ec

  • Size

    1.4MB

  • Sample

    221123-s7e6xadc28

  • MD5

    e2e1617906e695fe2c0024f5c59e2ad3

  • SHA1

    25a4ed069253693ea22d6c9a68990414d4495f77

  • SHA256

    73e3f5f3a5eb61b033ab5ebe7aa3f748947ec628cbb73a14d149ee601961d6ec

  • SHA512

    0769f27eee819fd0cb7c0e15c4c08ff5b963285d9f14e1c0e18a4a531dfb4a9872c42e4e60801d9156c03bfe7d77d70d503dbf91e89096036c0707143c46f49f

  • SSDEEP

    24576:oNW4777TMDr06+hJeGKa1ezhIDyG53W7Evr2ULRiYvQeG8C0tUajUU2AQ4P4qJ1c:qW47TM/06A1ezhuyG9WAz20iYvQctx2G

Malware Config

Extracted

Family

darkcomet

Botnet

Wrdex

C2

127.0.0.1:1454

larryking.no-ip.biz:1454

Mutex

DC_MUTEX-7MQCAT1

Attributes
  • gencode

    ujzd2CCjR7AN

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      73e3f5f3a5eb61b033ab5ebe7aa3f748947ec628cbb73a14d149ee601961d6ec

    • Size

      1.4MB

    • MD5

      e2e1617906e695fe2c0024f5c59e2ad3

    • SHA1

      25a4ed069253693ea22d6c9a68990414d4495f77

    • SHA256

      73e3f5f3a5eb61b033ab5ebe7aa3f748947ec628cbb73a14d149ee601961d6ec

    • SHA512

      0769f27eee819fd0cb7c0e15c4c08ff5b963285d9f14e1c0e18a4a531dfb4a9872c42e4e60801d9156c03bfe7d77d70d503dbf91e89096036c0707143c46f49f

    • SSDEEP

      24576:oNW4777TMDr06+hJeGKa1ezhIDyG53W7Evr2ULRiYvQeG8C0tUajUU2AQ4P4qJ1c:qW47TM/06A1ezhuyG9WAz20iYvQctx2G

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks