darkcomet

General

Target

59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
Size

1.2MB
Sample

221128-mphw7acd2v
MD5

3e7390c3eeeb28cb18eaa5b7f682b0da
SHA1

9d8401994e982e037a4e395faf1597cb76470171
SHA256

59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
SHA512

4cc01a3b5629a8d029ebcda3f5f514f4da235edd554306640d200eb522c5909c7a2944fb85993ebfd2d4a63451507a32b4907c15551ffe0b0820fe0d1c8d65fc
SSDEEP

24576:I0QtqBorTlYWBhE+V3mO20zwt/l1SRKgZ2eS:I7tqFWM4mNWI

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
nickflip2009@gmail.com
Password:
nick5501

Extracted

Family

darkcomet

Botnet

Slaves

C2

nickflip2015.no-ip.org:1604

10.0.0.75:1604

Mutex

DC_MUTEX-D8AZQWD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
HhJKioBtXipk
install
true
offline_keylogger
false
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
- Size
  
  1.2MB
- MD5
  
  3e7390c3eeeb28cb18eaa5b7f682b0da
- SHA1
  
  9d8401994e982e037a4e395faf1597cb76470171
- SHA256
  
  59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
- SHA512
  
  4cc01a3b5629a8d029ebcda3f5f514f4da235edd554306640d200eb522c5909c7a2944fb85993ebfd2d4a63451507a32b4907c15551ffe0b0820fe0d1c8d65fc
- SSDEEP
  
  24576:I0QtqBorTlYWBhE+V3mO20zwt/l1SRKgZ2eS:I7tqFWM4mNWI
Score

10^/10

darkcomet hawkeye slaves collection evasion keylogger persistence rat spyware stealer trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2