General
-
Target
e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263
-
Size
1.4MB
-
Sample
221130-yg8y7ahh96
-
MD5
867a94427df23e7400f1912e0054c02e
-
SHA1
c8004ee0f6895757e6e3c391100b09ca6fedacc3
-
SHA256
e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263
-
SHA512
a2ef02dd014ab123d372b9925b86e352cc1324cb0ebc8838f94e52243fef2d867a49ad132e8c7e35b983d9395b7140e4a454f4dfa20d17aad7de6ee04fce579d
-
SSDEEP
24576:V6f6UcjbYmVn3hITCmvOTggIRfmQX3zRYC6FVZPv+FWe4Ys/E:V861jnJgjYlDZ3+UT/E
Malware Config
Extracted
darkcomet
gyge
127.0.0.1:1604
DCMIN_MUTEX-CZGVNEU
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
2uuQwotMFJj1
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Targets
-
-
Target
e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263
-
Size
1.4MB
-
MD5
867a94427df23e7400f1912e0054c02e
-
SHA1
c8004ee0f6895757e6e3c391100b09ca6fedacc3
-
SHA256
e8acd36b264ba0f6ef059bd9e31a2adbae4ae8271462880501bbc786dd087263
-
SHA512
a2ef02dd014ab123d372b9925b86e352cc1324cb0ebc8838f94e52243fef2d867a49ad132e8c7e35b983d9395b7140e4a454f4dfa20d17aad7de6ee04fce579d
-
SSDEEP
24576:V6f6UcjbYmVn3hITCmvOTggIRfmQX3zRYC6FVZPv+FWe4Ys/E:V861jnJgjYlDZ3+UT/E
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-