General

  • Target

    File.exe

  • Size

    2.8MB

  • Sample

    230226-kpv6eagb81

  • MD5

    405ad6900ec6e4dd973bd065ae553e87

  • SHA1

    3a966d77673e1a7a1417ff76b730996d9f8e9022

  • SHA256

    22aa7f7c36245dc75950bdca6d85eda699084516083306f6be8dd5e596d99865

  • SHA512

    020fd4b3adbae94edd64565dcb8cc70bdf5a036d18efe63470f2521e951be0088a9c713d95fdde9372bc2e3d5c04c0f2d5de19a68d012a02e208882737b4de46

  • SSDEEP

    49152:dIS4fV+/A3knfH5YvDxcYlFMUXzRYSGZle13H:dIRV+/A3knf6DeYDXdYff63

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

considered-stars.at.ply.gg:11659

Mutex

DC_MUTEX-4RAEX72

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    741ngBRSJpQj

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicrosoftUpdate

Targets

    • Target

      File.exe

    • Size

      2.8MB

    • MD5

      405ad6900ec6e4dd973bd065ae553e87

    • SHA1

      3a966d77673e1a7a1417ff76b730996d9f8e9022

    • SHA256

      22aa7f7c36245dc75950bdca6d85eda699084516083306f6be8dd5e596d99865

    • SHA512

      020fd4b3adbae94edd64565dcb8cc70bdf5a036d18efe63470f2521e951be0088a9c713d95fdde9372bc2e3d5c04c0f2d5de19a68d012a02e208882737b4de46

    • SSDEEP

      49152:dIS4fV+/A3knfH5YvDxcYlFMUXzRYSGZle13H:dIRV+/A3knf6DeYDXdYff63

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks