General
-
Target
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54
-
Size
1.4MB
-
Sample
221203-grzd3aag56
-
MD5
9dd38615196e4992a915698ed23d2aff
-
SHA1
67b50b4aa1b9e738b1c7d902e10dc66b6ab52681
-
SHA256
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54
-
SHA512
1d4e280a002dd09ac102b1790f27fb68a28b0d1b1c6f73c7c25ca1f20971a5d09ed172888fe8317803600826d1a7cf4ae4f808652999bab418c1c52ceb1fdaf8
-
SSDEEP
24576:/SY34IXoDdLgzm1mvPJvVp9q8x2OVdtX95rZBlKsKEw2RTISmO:/NITovPJvHn28R/bLRTI
Malware Config
Extracted
darkcomet
minecraftgett0111
qwertyfuck.no-ip.biz:1604
DC_MUTEX-GNGL16E
-
gencode
EbPKlSTAN5A7
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54
-
Size
1.4MB
-
MD5
9dd38615196e4992a915698ed23d2aff
-
SHA1
67b50b4aa1b9e738b1c7d902e10dc66b6ab52681
-
SHA256
bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54
-
SHA512
1d4e280a002dd09ac102b1790f27fb68a28b0d1b1c6f73c7c25ca1f20971a5d09ed172888fe8317803600826d1a7cf4ae4f808652999bab418c1c52ceb1fdaf8
-
SSDEEP
24576:/SY34IXoDdLgzm1mvPJvVp9q8x2OVdtX95rZBlKsKEw2RTISmO:/NITovPJvHn28R/bLRTI
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-