General
-
Target
fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8
-
Size
699KB
-
Sample
221126-de2rwabc5t
-
MD5
bb504aa1e8a618ae1100250b990a0bfe
-
SHA1
446a7dd6c070cd836f44ea64885e2092aa51e19c
-
SHA256
fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8
-
SHA512
ebd509cae43cb74e11ecbc6a37f2425107b3b2145085eb0ff3941ce91c0ad7a4a3771d4863a2ecdcda77c3d6c9087ba271a7edb548e4efb16b47554de9115508
-
SSDEEP
12288:TmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyF0/9HMeF:TBIGkbxqEcjsWiDxguehC2S7pj
Malware Config
Extracted
darkcomet
DoS
127.0.0.1:1604
DC_MUTEX-D1GBSEM
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Vt4jEdLB1t28
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8
-
Size
699KB
-
MD5
bb504aa1e8a618ae1100250b990a0bfe
-
SHA1
446a7dd6c070cd836f44ea64885e2092aa51e19c
-
SHA256
fbae158ac6dd24def292daa93ee48cc31b500a71fe10c19ddfe9b4c4c030c6f8
-
SHA512
ebd509cae43cb74e11ecbc6a37f2425107b3b2145085eb0ff3941ce91c0ad7a4a3771d4863a2ecdcda77c3d6c9087ba271a7edb548e4efb16b47554de9115508
-
SSDEEP
12288:TmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyF0/9HMeF:TBIGkbxqEcjsWiDxguehC2S7pj
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Detect Neshta payload
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Windows security bypass
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-