General
-
Target
8d562009530552d38f5144f202ec0fcbe90f129469d42e78c16098088e3ad0b1
-
Size
701KB
-
Sample
221128-sf3swscc33
-
MD5
b25024975e6b107aefb174749379b971
-
SHA1
efa76167a48f3568fa26771bfe373647b715b348
-
SHA256
8d562009530552d38f5144f202ec0fcbe90f129469d42e78c16098088e3ad0b1
-
SHA512
36a0f69820def5cca466f580195bf89d13c6b43c8d87015a1e11f398bf81d14cade6b51c03243980c086d170a32c2db91ad198c82af563c008bf8c31ac6fad43
-
SSDEEP
12288:x2BIlTNevFZO7DXDRb1egPRGGDmQmgS0/VGcwph889cuhx7k6:gaT8DO7Hp1BQGiQPS0di88aug6
Malware Config
Extracted
darkcomet
Bios
blazeros.zapto.org:3175
DC_MUTEX-GS0NEC8
-
InstallPath
AdobeFlashUpdater\flashplayer16x32_mssd_aaa_aih.exe
-
gencode
o4BdAqVuGTLH
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
AdobeFlashPlayerUpdateSvc
Targets
-
-
Target
8d562009530552d38f5144f202ec0fcbe90f129469d42e78c16098088e3ad0b1
-
Size
701KB
-
MD5
b25024975e6b107aefb174749379b971
-
SHA1
efa76167a48f3568fa26771bfe373647b715b348
-
SHA256
8d562009530552d38f5144f202ec0fcbe90f129469d42e78c16098088e3ad0b1
-
SHA512
36a0f69820def5cca466f580195bf89d13c6b43c8d87015a1e11f398bf81d14cade6b51c03243980c086d170a32c2db91ad198c82af563c008bf8c31ac6fad43
-
SSDEEP
12288:x2BIlTNevFZO7DXDRb1egPRGGDmQmgS0/VGcwph889cuhx7k6:gaT8DO7Hp1BQGiQPS0di88aug6
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-