General
-
Target
3ada9c8c85d1e4190e23e991b67fd4a7b742ad53e8619c17de95e7bf9fdcdd8d
-
Size
2.7MB
-
Sample
221128-p84dcaec46
-
MD5
95b7d69d2ca4edd407c417c3cc1ba1fb
-
SHA1
da6f9a7028528c496ef3531120d5529889820efa
-
SHA256
3ada9c8c85d1e4190e23e991b67fd4a7b742ad53e8619c17de95e7bf9fdcdd8d
-
SHA512
975c166f60256a47da33373e70036c41e811e9ac23004e151cd72f5ca303ccf996d7dc6b908bc84d717228be3869af6f4af9dbbf8d076ed37520bfa864030211
-
SSDEEP
3072:MUCGG2BGieQ6Bp0+6clEyu6ZrJE5ORErW4CwrEEGEJxt05mtj9GrvSqgXiJOjvtZ:MUCR2BGNg+6L1
Malware Config
Extracted
darkcomet
Infected
cristudios.ddns.net:2604
DC_MUTEX-8K7GCQR
-
InstallPath
SecurityUpdate\winsecurity.exe
-
gencode
EQfox0SM0ZJ0
-
install
true
-
offline_keylogger
true
-
password
231814010
-
persistence
true
-
reg_key
SecurityUpdate
Targets
-
-
Target
3ada9c8c85d1e4190e23e991b67fd4a7b742ad53e8619c17de95e7bf9fdcdd8d
-
Size
2.7MB
-
MD5
95b7d69d2ca4edd407c417c3cc1ba1fb
-
SHA1
da6f9a7028528c496ef3531120d5529889820efa
-
SHA256
3ada9c8c85d1e4190e23e991b67fd4a7b742ad53e8619c17de95e7bf9fdcdd8d
-
SHA512
975c166f60256a47da33373e70036c41e811e9ac23004e151cd72f5ca303ccf996d7dc6b908bc84d717228be3869af6f4af9dbbf8d076ed37520bfa864030211
-
SSDEEP
3072:MUCGG2BGieQ6Bp0+6clEyu6ZrJE5ORErW4CwrEEGEJxt05mtj9GrvSqgXiJOjvtZ:MUCR2BGNg+6L1
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-