General

  • Target

    4b0e0b0add966a824365a62ae8c72e2bf6517a7bd5f1197cf0fca07c09ab6877

  • Size

    362KB

  • Sample

    221123-s7rvpsdc39

  • MD5

    d0e689cd46215ce61aa7cad5184f0c03

  • SHA1

    993595b19cb80eec19c920c4798980ceac840472

  • SHA256

    4b0e0b0add966a824365a62ae8c72e2bf6517a7bd5f1197cf0fca07c09ab6877

  • SHA512

    c5116206fe39c828b12d7c9edc386a8f960ffc1f02c6af552b77f466e299d28c38a2e562d47937feb4e3d9bd2f9e6df4f5b63bcc1104777c3ada3a52df18f789

  • SSDEEP

    6144:4cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37lK2:4cW7KEZlPzCy37lb

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

paullad14.no-ip.biz:1604

Mutex

DC_MUTEX-3TP2MMM

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    xhjk8rhgncrY

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      4b0e0b0add966a824365a62ae8c72e2bf6517a7bd5f1197cf0fca07c09ab6877

    • Size

      362KB

    • MD5

      d0e689cd46215ce61aa7cad5184f0c03

    • SHA1

      993595b19cb80eec19c920c4798980ceac840472

    • SHA256

      4b0e0b0add966a824365a62ae8c72e2bf6517a7bd5f1197cf0fca07c09ab6877

    • SHA512

      c5116206fe39c828b12d7c9edc386a8f960ffc1f02c6af552b77f466e299d28c38a2e562d47937feb4e3d9bd2f9e6df4f5b63bcc1104777c3ada3a52df18f789

    • SSDEEP

      6144:4cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37lK2:4cW7KEZlPzCy37lb

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks