General

  • Target

    be8971292c6bd69cc35e85b1a51b3fb6a2224153df1fe7ee232d850e68c2274f

  • Size

    986KB

  • Sample

    221203-gsy5paah39

  • MD5

    4c1d2a8b7c254fffd508cf3f5b00248b

  • SHA1

    bf252688fe160e89ef2bdb8af66d9935e7c9f1cd

  • SHA256

    be8971292c6bd69cc35e85b1a51b3fb6a2224153df1fe7ee232d850e68c2274f

  • SHA512

    5b157be5f89fac3cde83c8260c4c479a6c122276f8aca6944f56cfea8fbda30afdaea670a100b44a4da1a912b75b2ca7710aec4e314dc4bd024a5f95e481f530

  • SSDEEP

    24576:jMEhOtMkrJtb0fOspDZ1lS127B3+h4emPWR09Bop:gEh2rJS7pVi2wXQKp

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

12345.no-ip.biz:1177

Mutex

DC_MUTEX-4A5MDFX

Attributes
  • gencode

    ny0zwZA8Xxph

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      be8971292c6bd69cc35e85b1a51b3fb6a2224153df1fe7ee232d850e68c2274f

    • Size

      986KB

    • MD5

      4c1d2a8b7c254fffd508cf3f5b00248b

    • SHA1

      bf252688fe160e89ef2bdb8af66d9935e7c9f1cd

    • SHA256

      be8971292c6bd69cc35e85b1a51b3fb6a2224153df1fe7ee232d850e68c2274f

    • SHA512

      5b157be5f89fac3cde83c8260c4c479a6c122276f8aca6944f56cfea8fbda30afdaea670a100b44a4da1a912b75b2ca7710aec4e314dc4bd024a5f95e481f530

    • SSDEEP

      24576:jMEhOtMkrJtb0fOspDZ1lS127B3+h4emPWR09Bop:gEh2rJS7pVi2wXQKp

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Tasks