General
-
Target
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693
-
Size
594KB
-
Sample
221126-y5dsysbh88
-
MD5
f792868a671695eb5ff716c774ab4474
-
SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f
-
SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693
-
SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545
-
SSDEEP
12288:g9Zu42qMifMb9yXf1J9pOxsrC3uQOJdy9rHCbLutbK8dTHK/73cI6j:g9ZDy6Mb9ydTpOKCvHCboWiTHx
Malware Config
Extracted
darkcomet
new1
banrutero.duckdns.org:3462
chapinmaster.aidyn.net:3462
DC_MUTEX-UYTP5W4
-
InstallPath
Winlogon.exe
-
gencode
kCVib9BZgqVh
-
install
true
-
offline_keylogger
true
-
password
22617
-
persistence
true
-
reg_key
MicroUpdates
Targets
-
-
Target
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693
-
Size
594KB
-
MD5
f792868a671695eb5ff716c774ab4474
-
SHA1
cd6964165c397f984de85ee9cc3ef80a4b23ea7f
-
SHA256
a0ab89a5bd347f53f5ac9360e3a45cfc05a7a8d9d66264c4d734ebe1f894f693
-
SHA512
b4a41326705fbe908f4fd6485eaf8b1b409acd5feaf1baa8d9f3eb8f2b4c912ab82e1a712e6cf8db7baa664dba0ff9570fec790819aea24023caaf68801e7545
-
SSDEEP
12288:g9Zu42qMifMb9yXf1J9pOxsrC3uQOJdy9rHCbLutbK8dTHK/73cI6j:g9ZDy6Mb9ydTpOKCvHCboWiTHx
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-