General

  • Target

    e7eba9400afd46600f1a9a301af0aab86e17f56cf22ab93b81beaaf2ec3eaf5c

  • Size

    1.2MB

  • Sample

    221129-nr6ayahe5z

  • MD5

    bdf3a330efa4296d6547e13dc4ff0b87

  • SHA1

    5f245654fcd374e54f9a3747aa3ceebe7ea93760

  • SHA256

    e7eba9400afd46600f1a9a301af0aab86e17f56cf22ab93b81beaaf2ec3eaf5c

  • SHA512

    739b9a8fd57f5bf1e42d6206ef2708e78cc56e623807eedc6955bf61a5ca6808270aa8e416f4f3e0b735b551a4f7b10ac34fe5a9ee9c6d91407ac878ffee64f3

  • SSDEEP

    12288:9xPzOw1+1VJw0wJFBRhZa9icVWNLEsy8lDGkX8I4/H+jWDcImvqA5UGcYkMRMoHG:9PqM6YV+/1HhA3UEjS91ekhhZ

Malware Config

Extracted

Family

darkcomet

Botnet

Yahoo-chat

C2

epiclegit.no-ip.biz:1337

Mutex

DC_MUTEX-56EX4JX

Attributes
  • gencode

    uxiHXsbVBFCC

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      e7eba9400afd46600f1a9a301af0aab86e17f56cf22ab93b81beaaf2ec3eaf5c

    • Size

      1.2MB

    • MD5

      bdf3a330efa4296d6547e13dc4ff0b87

    • SHA1

      5f245654fcd374e54f9a3747aa3ceebe7ea93760

    • SHA256

      e7eba9400afd46600f1a9a301af0aab86e17f56cf22ab93b81beaaf2ec3eaf5c

    • SHA512

      739b9a8fd57f5bf1e42d6206ef2708e78cc56e623807eedc6955bf61a5ca6808270aa8e416f4f3e0b735b551a4f7b10ac34fe5a9ee9c6d91407ac878ffee64f3

    • SSDEEP

      12288:9xPzOw1+1VJw0wJFBRhZa9icVWNLEsy8lDGkX8I4/H+jWDcImvqA5UGcYkMRMoHG:9PqM6YV+/1HhA3UEjS91ekhhZ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

1
T1089

Hidden Files and Directories

2
T1158

Scripting

1
T1064

Tasks