General
-
Target
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6
-
Size
1.6MB
-
Sample
221126-3dnlascf74
-
MD5
0620050df2e5a15c53b9035407c4cfbf
-
SHA1
5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f
-
SHA256
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6
-
SHA512
1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816
-
SSDEEP
24576:WF14CROX4GLhHexsQ8XqlAzpGNQUlFTH0dxXc/2hAqT9MI8SqVb8JNPTEJaE53:WF1pR4LhusCAF2d8dikAu9MzgzE4C
Malware Config
Extracted
darkcomet
bndbt
imouttahere.no-ip.biz:1605
DC_MUTEX-PPBR4G6
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
xPKZmVuPN7gy
-
install
true
-
offline_keylogger
true
-
password
aerohigh
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6
-
Size
1.6MB
-
MD5
0620050df2e5a15c53b9035407c4cfbf
-
SHA1
5a7cfa25d0c9e1ce1838310c450a5d3c1a81e62f
-
SHA256
5b2f4726b2508e3a148af9d1dcb32de589c0255df8c588ad7cd26ecc0b4510e6
-
SHA512
1f88713ff76982305fac2ced56f838ab36721e25c6589934cd25489ae8eb149555d8004c96a36aa9e8429cdfb69aeb59a91e8a660618799115bf146084cc8816
-
SSDEEP
24576:WF14CROX4GLhHexsQ8XqlAzpGNQUlFTH0dxXc/2hAqT9MI8SqVb8JNPTEJaE53:WF1pR4LhusCAF2d8dikAu9MzgzE4C
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-