General

  • Target

    d3342dc53f0dc97e9ef23e3194b7818405f9035109449cb41c4308b95759cfab

  • Size

    9.2MB

  • Sample

    221203-erzcysdb85

  • MD5

    027bad6209e6a14b12925d7dde3a92a5

  • SHA1

    a90cab4afdf390b7e64912eff4e667d268083b29

  • SHA256

    d3342dc53f0dc97e9ef23e3194b7818405f9035109449cb41c4308b95759cfab

  • SHA512

    9805cf044f3c2b68e1da0ef964059c36b3c697aaf0b1e837dbf78119841d3de6cc99c7cb1f6e24ba4259aeaeadef57760528cca4d14129967b5a5d6159ade5e1

  • SSDEEP

    24576:Hcosz6bWEhq8Ne5aDpFuufrbtGy92BMqERDQcsp+cPOFZISxqBpcuebmts0+Yo7R:

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-20T798N

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    AcsVyDXdjgBf

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      d3342dc53f0dc97e9ef23e3194b7818405f9035109449cb41c4308b95759cfab

    • Size

      9.2MB

    • MD5

      027bad6209e6a14b12925d7dde3a92a5

    • SHA1

      a90cab4afdf390b7e64912eff4e667d268083b29

    • SHA256

      d3342dc53f0dc97e9ef23e3194b7818405f9035109449cb41c4308b95759cfab

    • SHA512

      9805cf044f3c2b68e1da0ef964059c36b3c697aaf0b1e837dbf78119841d3de6cc99c7cb1f6e24ba4259aeaeadef57760528cca4d14129967b5a5d6159ade5e1

    • SSDEEP

      24576:Hcosz6bWEhq8Ne5aDpFuufrbtGy92BMqERDQcsp+cPOFZISxqBpcuebmts0+Yo7R:

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks