General
-
Target
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935
-
Size
3.0MB
-
Sample
221130-nr29aafh66
-
MD5
6f6614d8d57607da94626df2a6f6115d
-
SHA1
50bcecaca1aff978d6f79b76fcf7d974cbbdce32
-
SHA256
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935
-
SHA512
1e854ca45b7854874ef28aa84a42d31931018adb0239655b6eb37af6f32d1a55dc301fd5b378b65d2869e3831452418aae3705af0a3290979ee801b6631bb178
-
SSDEEP
24576:Ihqg3a11e7FXE61jqAdc9DH/73df8XoxZlYscJsLn1D4L4oSnJRxEkQq77GraUDN:IhqoRXE6GtU4hYse+n1kcMGCYVoOPA
Malware Config
Extracted
darkcomet
Main
leinuo2rat.no-ip.biz:1604
DC_MUTEX-ZPESHXD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
KlPD5oRnmTw4
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Updata
Targets
-
-
Target
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935
-
Size
3.0MB
-
MD5
6f6614d8d57607da94626df2a6f6115d
-
SHA1
50bcecaca1aff978d6f79b76fcf7d974cbbdce32
-
SHA256
fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935
-
SHA512
1e854ca45b7854874ef28aa84a42d31931018adb0239655b6eb37af6f32d1a55dc301fd5b378b65d2869e3831452418aae3705af0a3290979ee801b6631bb178
-
SSDEEP
24576:Ihqg3a11e7FXE61jqAdc9DH/73df8XoxZlYscJsLn1D4L4oSnJRxEkQq77GraUDN:IhqoRXE6GtU4hYse+n1kcMGCYVoOPA
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext
-