General
-
Target
c1698f1cccd0cf39d9ef3aba436b1beaf17b6b8e4d712d1e99fa063fe3850bdc
-
Size
271KB
-
Sample
221126-2y8arsbf26
-
MD5
eb0ab5c020d77b0facffe58e4aac1b7b
-
SHA1
2e1802b031d8ab32f6644cd364188bebdd79b002
-
SHA256
c1698f1cccd0cf39d9ef3aba436b1beaf17b6b8e4d712d1e99fa063fe3850bdc
-
SHA512
4ffa02ac5489b0eb8ae63f9e4f6410051a0a685bacde15d7b4571a9bb2276e80d0b9a1c4a6213d4313b05930a056c4a6153bf60caf39121698040e5d8f119492
-
SSDEEP
6144:mgT+seOpJzj1RiZC+Z38N1ppv+ab5qDZLaxbqxBY9WSP:qrAz6ZC+N8fGaCpaxbqxBuP
Malware Config
Extracted
darkcomet
Guest16
.duckdns.org:1604
DC_MUTEX-V5NVLP0
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
xFLum93EqW7N
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
c1698f1cccd0cf39d9ef3aba436b1beaf17b6b8e4d712d1e99fa063fe3850bdc
-
Size
271KB
-
MD5
eb0ab5c020d77b0facffe58e4aac1b7b
-
SHA1
2e1802b031d8ab32f6644cd364188bebdd79b002
-
SHA256
c1698f1cccd0cf39d9ef3aba436b1beaf17b6b8e4d712d1e99fa063fe3850bdc
-
SHA512
4ffa02ac5489b0eb8ae63f9e4f6410051a0a685bacde15d7b4571a9bb2276e80d0b9a1c4a6213d4313b05930a056c4a6153bf60caf39121698040e5d8f119492
-
SSDEEP
6144:mgT+seOpJzj1RiZC+Z38N1ppv+ab5qDZLaxbqxBY9WSP:qrAz6ZC+N8fGaCpaxbqxBuP
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-