General
-
Target
46ab1128dae33bbd2de468698b5f69bfcdf5817719e96ed0c22df09e13a4cfbd
-
Size
699KB
-
Sample
221126-dfkvraga55
-
MD5
c4d53cb623d3c565bc18469a4f54c086
-
SHA1
e3736a7d97bfd47b7c6b715c6dadf1a804b88b81
-
SHA256
46ab1128dae33bbd2de468698b5f69bfcdf5817719e96ed0c22df09e13a4cfbd
-
SHA512
e2b83879bca488a9798ee1fc39ce5bee921f331fb982f4136cd87be0b58ec57554070c813136c65551070d582ecae0341364ca5e2d8cf761984d9053e3cb27ea
-
SSDEEP
12288:zrJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hn9HFJ4:z1xuVVjfFoynPaVBUR8f+kN10EBns
Malware Config
Extracted
darkcomet
Guest16
85.93.52.232:1604
DC_MUTEX-DSQ7QC1
-
InstallPath
MSDCSC\svchost.exe
-
gencode
eSTiNqh97wPq
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
svchost
Targets
-
-
Target
46ab1128dae33bbd2de468698b5f69bfcdf5817719e96ed0c22df09e13a4cfbd
-
Size
699KB
-
MD5
c4d53cb623d3c565bc18469a4f54c086
-
SHA1
e3736a7d97bfd47b7c6b715c6dadf1a804b88b81
-
SHA256
46ab1128dae33bbd2de468698b5f69bfcdf5817719e96ed0c22df09e13a4cfbd
-
SHA512
e2b83879bca488a9798ee1fc39ce5bee921f331fb982f4136cd87be0b58ec57554070c813136c65551070d582ecae0341364ca5e2d8cf761984d9053e3cb27ea
-
SSDEEP
12288:zrJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hn9HFJ4:z1xuVVjfFoynPaVBUR8f+kN10EBns
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Detect Neshta payload
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Windows security bypass
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Drops file in System32 directory
-