General
-
Target
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262
-
Size
1.1MB
-
Sample
221206-p78xfadf2w
-
MD5
80a6f592279ea5ee33110734677e5d62
-
SHA1
15a6965cc45a865f94fb05f3931d27acba174415
-
SHA256
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262
-
SHA512
9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960
-
SSDEEP
24576:dYi0aeKVUQBoBsrjOP2mnQQsMEqs1MLbp68xcjuJmSOn79F3vqu:dYiLeK7IsrjOP2WNsCs1MLrxUuJm/n7f
Malware Config
Extracted
darkcomet
OT-10aug
h23.us.to:65432
t4rt4r.zapto.org:9384
DC_MUTEX-742F3S6
-
InstallPath
W1Nrar\svchost.exe
-
gencode
wB67Vbr5dSJp
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Host Process for Windows Services
Targets
-
-
Target
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262
-
Size
1.1MB
-
MD5
80a6f592279ea5ee33110734677e5d62
-
SHA1
15a6965cc45a865f94fb05f3931d27acba174415
-
SHA256
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262
-
SHA512
9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960
-
SSDEEP
24576:dYi0aeKVUQBoBsrjOP2mnQQsMEqs1MLbp68xcjuJmSOn79F3vqu:dYiLeK7IsrjOP2WNsCs1MLrxUuJm/n7f
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-