General

  • Target

    49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d

  • Size

    2.8MB

  • Sample

    221123-vvg6vada2s

  • MD5

    0173cc2be471cac926c6104a2e8b986a

  • SHA1

    ece1bcbb39f75fe8bc71801cca1bb1e6e2f030e5

  • SHA256

    49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d

  • SHA512

    f6c6ea986a955390ee3470d8e887b428cb5d2043fd4d33fb24bd165d884e3e9a91c7fd231076225ab45b3ad85c466dca2ee536a0bb0c2804ee19e4aef1cb34ae

  • SSDEEP

    49152:QVjnLacAxQU/a6MWvnUq6hE5k6iBPQ7pGy05Z+sSdSLyXTX9ykYN+EiTAr:8D+cAxQUa6MWvnUq6hgkvBPuYywSXjXW

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcometratt.no-ip.org:1604

Mutex

DC_MUTEX-WG0MMGJ

Attributes
  • gencode

    Rsl0xg3qg2h8

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

darkcomet

Botnet

DEFORS

C2

rsnoip.ddns.net:1997

Mutex

DCMIN_MUTEX-C5RDYJH

Attributes
  • gencode

    NToT30g4twDC

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d

    • Size

      2.8MB

    • MD5

      0173cc2be471cac926c6104a2e8b986a

    • SHA1

      ece1bcbb39f75fe8bc71801cca1bb1e6e2f030e5

    • SHA256

      49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d

    • SHA512

      f6c6ea986a955390ee3470d8e887b428cb5d2043fd4d33fb24bd165d884e3e9a91c7fd231076225ab45b3ad85c466dca2ee536a0bb0c2804ee19e4aef1cb34ae

    • SSDEEP

      49152:QVjnLacAxQU/a6MWvnUq6hE5k6iBPQ7pGy05Z+sSdSLyXTX9ykYN+EiTAr:8D+cAxQUa6MWvnUq6hgkvBPuYywSXjXW

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks