General

  • Target

    3ce93e4cd89e0839c9a0216a271faa35ead29c48da69180a2e7373bc406680af

  • Size

    283KB

  • Sample

    230130-e4ppaahb74

  • MD5

    10fda18d615bb2a1a6b908899b750a80

  • SHA1

    615db4bab0c2ed0f1739ad72f2615156573e66b7

  • SHA256

    3ce93e4cd89e0839c9a0216a271faa35ead29c48da69180a2e7373bc406680af

  • SHA512

    80a39d30ad7aa54825e5676991fc3482226d78702b7441795d4209b4a283c1c8a870b5200f38860be318efa0ae3054ab1b4c994c6e7e9636197ce965fa7e40b2

  • SSDEEP

    6144:QcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL372ZV:QcW7KEZlPzCy37Q

Malware Config

Extracted

Family

darkcomet

Botnet

ÇáÖÍíÉ

C2

127.0.0.1:1604

Mutex

DC_MUTEX-7VRUSP1

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    7EGKaUP0cfGk

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      3ce93e4cd89e0839c9a0216a271faa35ead29c48da69180a2e7373bc406680af

    • Size

      283KB

    • MD5

      10fda18d615bb2a1a6b908899b750a80

    • SHA1

      615db4bab0c2ed0f1739ad72f2615156573e66b7

    • SHA256

      3ce93e4cd89e0839c9a0216a271faa35ead29c48da69180a2e7373bc406680af

    • SHA512

      80a39d30ad7aa54825e5676991fc3482226d78702b7441795d4209b4a283c1c8a870b5200f38860be318efa0ae3054ab1b4c994c6e7e9636197ce965fa7e40b2

    • SSDEEP

      6144:QcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL372ZV:QcW7KEZlPzCy37Q

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Drops file in Drivers directory

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks