General

  • Target

    d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420

  • Size

    498KB

  • Sample

    221203-esp6nsdc39

  • MD5

    1bddf9a06684a1cf0d88dacdf407fc20

  • SHA1

    a6d1769c6e15a82434913476dac42d90a3ae3b43

  • SHA256

    d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420

  • SHA512

    5b02a92e8e67b5e74f0ba7838b708cfd3cebc8e754345351d5bfaf68e44a6b4498cef6461358355f25d42e4f75fb40b6bc59cd368f0945af5145b1986f52dd21

  • SSDEEP

    12288:ch5C8uBkFzIkjFNT9RA73gTSZv7xbVxCfk7Kl0ywos:GiZkx996LM+7Z4WKl0yx

Malware Config

Extracted

Family

darkcomet

Botnet

313

C2

samantha.servebeer.com:1604

Mutex

DC_MUTEX-61Q6CYX

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    cbF34c47laEA

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420

    • Size

      498KB

    • MD5

      1bddf9a06684a1cf0d88dacdf407fc20

    • SHA1

      a6d1769c6e15a82434913476dac42d90a3ae3b43

    • SHA256

      d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420

    • SHA512

      5b02a92e8e67b5e74f0ba7838b708cfd3cebc8e754345351d5bfaf68e44a6b4498cef6461358355f25d42e4f75fb40b6bc59cd368f0945af5145b1986f52dd21

    • SSDEEP

      12288:ch5C8uBkFzIkjFNT9RA73gTSZv7xbVxCfk7Kl0ywos:GiZkx996LM+7Z4WKl0yx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks