General
-
Target
af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c
-
Size
363KB
-
Sample
221125-tc2l4acg5y
-
MD5
6868581b7a7f2803a837171254fe6331
-
SHA1
80e54e9ae298e949e49e06d927a9a5b31b5db21c
-
SHA256
af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c
-
SHA512
78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead
-
SSDEEP
6144:mmluhyzPvCVoxWCmzUiQbbHhDPx3IfTYjDQ8g5J/ZAv5lFd+V5WnbFwPYzaYd+J:mwWyztxWdzjQbzhV3pjcpJ/2xMYwPY21
Malware Config
Extracted
darkcomet
Zombie
microsoftsystem.servehttp.com:1488
DC_MUTEX-ADWJ2LM
-
InstallPath
MSNetwork\lsmass.exe
-
gencode
lajRRURGWL6z
-
install
true
-
offline_keylogger
true
-
password
4nT1Cr4Ck3R3nCrYpT10n
-
persistence
true
-
reg_key
Windows-Network Component
Targets
-
-
Target
af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c
-
Size
363KB
-
MD5
6868581b7a7f2803a837171254fe6331
-
SHA1
80e54e9ae298e949e49e06d927a9a5b31b5db21c
-
SHA256
af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c
-
SHA512
78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead
-
SSDEEP
6144:mmluhyzPvCVoxWCmzUiQbbHhDPx3IfTYjDQ8g5J/ZAv5lFd+V5WnbFwPYzaYd+J:mwWyztxWdzjQbzhV3pjcpJ/2xMYwPY21
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-