General
-
Target
FOTOVERANO15.scr
-
Size
874KB
-
Sample
230507-k1cs7seh71
-
MD5
ec692bde91ad1c6e182843bc0a5c7e81
-
SHA1
54996c1d4aeaf76855b7b73a323b74c191573863
-
SHA256
de19d8ea2911ff7e337823576e214151ad4426206db8e9ea9880778f2592f935
-
SHA512
4b4d5b7707071b86cb2d55411766bb3ebde9a8765becdaf5840d78be6e278f5b3d2bbe2888350a4d113c49a65c9b8e2ec818429db91c72529b0fbfd12f9c7dbe
-
SSDEEP
24576:aZ1xuVVjfFoynPaVBUR8f+kN10EBa10svzX:qQDgok30gW
Malware Config
Extracted
darkcomet
FOTOVERANO15
seguridadsocial.ddns.net:1604
DC_MUTEX-MKHPJPY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
lsBsa7lPZ9Fu
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
FOTOVERANO15.scr
-
Size
874KB
-
MD5
ec692bde91ad1c6e182843bc0a5c7e81
-
SHA1
54996c1d4aeaf76855b7b73a323b74c191573863
-
SHA256
de19d8ea2911ff7e337823576e214151ad4426206db8e9ea9880778f2592f935
-
SHA512
4b4d5b7707071b86cb2d55411766bb3ebde9a8765becdaf5840d78be6e278f5b3d2bbe2888350a4d113c49a65c9b8e2ec818429db91c72529b0fbfd12f9c7dbe
-
SSDEEP
24576:aZ1xuVVjfFoynPaVBUR8f+kN10EBa10svzX:qQDgok30gW
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-