General
-
Target
c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339
-
Size
317KB
-
Sample
221203-cgy84ahe5v
-
MD5
178b94a462503845831cd0a6c3e3b500
-
SHA1
99510e9b7abbfff7cc4097e51196ad801fc1d82d
-
SHA256
c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339
-
SHA512
ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf
-
SSDEEP
6144:hzjAH9agPC3gLzeAyzhsv70s3QS8A7KQGNBZmUF4nHytzcc:xAdag1mAyzMxp8A7KQGNBZm3HOcc
Malware Config
Extracted
darkcomet
24
127.0.0.1:1604
172.162.22.200:1604
remaxcheckings.no-ip.biz:1604
DC_MUTEX-AT9WGLV
-
InstallPath
MSDCSC\remaxcheckings.exe
-
gencode
WN5Nr6wiGseC
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
remaxcheckings
Targets
-
-
Target
c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339
-
Size
317KB
-
MD5
178b94a462503845831cd0a6c3e3b500
-
SHA1
99510e9b7abbfff7cc4097e51196ad801fc1d82d
-
SHA256
c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339
-
SHA512
ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf
-
SSDEEP
6144:hzjAH9agPC3gLzeAyzhsv70s3QS8A7KQGNBZmUF4nHytzcc:xAdag1mAyzMxp8A7KQGNBZm3HOcc
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-