General
-
Target
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
-
Size
2.7MB
-
Sample
221203-fz6mnsca41
-
MD5
349b587ed5fda616d179ba9a1718fb4c
-
SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4
-
SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
-
SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
-
SSDEEP
24576:SKKTygi5eQlaRERr3Aui0K29imwteZGSzZt3cn5uXPBL7I7noV6jOIyz8+CQBKZq:+IKjOIy3DBKZFOeBYie
Malware Config
Extracted
darkcomet
PH
justfordarkcomet.zapto.org:1604
127.0.0.1:1604
192.168.0.2:1604
DC_MUTEX-E6M25ZF
-
gencode
ytR7Ej1ChUCo
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
-
Size
2.7MB
-
MD5
349b587ed5fda616d179ba9a1718fb4c
-
SHA1
d503cdd4bd462f182ff328cc262ec0f99486d6f4
-
SHA256
c6cc3880215e9efdc78b6cab7f373390ccdb9615f6dcb2f1f92f8bd65b681101
-
SHA512
29e079f1c4449e61231f79917ea1da21991855ff3790c356f2f0a5c70474221a518a060cb0405b3d30fcdab5017b0ed1e8dcc8f89ef3502301b4bf8290f986cd
-
SSDEEP
24576:SKKTygi5eQlaRERr3Aui0K29imwteZGSzZt3cn5uXPBL7I7noV6jOIyz8+CQBKZq:+IKjOIy3DBKZFOeBYie
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies firewall policy service
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-