General

  • Target

    03418a14a8d2fa686d31747cfefe6bd824dcb782dd602c19fa7efd77585fd1ee

  • Size

    968KB

  • Sample

    221130-rqf67sgg95

  • MD5

    f27e2348eaca8df7a62a806ee14d6229

  • SHA1

    5f90c0a83d867cf265fedffa101db91f5e094d4b

  • SHA256

    03418a14a8d2fa686d31747cfefe6bd824dcb782dd602c19fa7efd77585fd1ee

  • SHA512

    f2c893f768ea06e4c3c013edb00b70d4eab7fdb2520f668460320561fdca846eaf61e8a6246c3287fe5af0061ee177bdc8a8560df636a599a6ad56888ca88456

  • SSDEEP

    12288:OR49o2m/kijD3tUL/SW+vZi3G0khHCpp1tlAhpoz1qODJXXn3n0kZJWb:4qyhDyLf2wW064dlYwqOJXnkk/W

Malware Config

Extracted

Family

darkcomet

Botnet

Spy

C2

127.0.0.1:1604

nibiru3.duckdns.org:1604

nibiru33.duckdns.org:1604

Mutex

DC_MUTEX-QE733CL

Attributes
  • InstallPath

    MSDCSC\Audio Realtek Driver.exe

  • gencode

    slqYakBDdplF

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      03418a14a8d2fa686d31747cfefe6bd824dcb782dd602c19fa7efd77585fd1ee

    • Size

      968KB

    • MD5

      f27e2348eaca8df7a62a806ee14d6229

    • SHA1

      5f90c0a83d867cf265fedffa101db91f5e094d4b

    • SHA256

      03418a14a8d2fa686d31747cfefe6bd824dcb782dd602c19fa7efd77585fd1ee

    • SHA512

      f2c893f768ea06e4c3c013edb00b70d4eab7fdb2520f668460320561fdca846eaf61e8a6246c3287fe5af0061ee177bdc8a8560df636a599a6ad56888ca88456

    • SSDEEP

      12288:OR49o2m/kijD3tUL/SW+vZi3G0khHCpp1tlAhpoz1qODJXXn3n0kZJWb:4qyhDyLf2wW064dlYwqOJXnkk/W

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks