General
-
Target
taskhost.exe
-
Size
1MB
-
Sample
230722-nvay7sag77
-
MD5
0d833c6509f350e0a15492597df2bda6
-
SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f
-
SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7
-
SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118
-
SSDEEP
24576:Aam94ouZLkTDc90EVK7bsowfdCKWZQfgsVvGoYjQHFyHH:A2otPu0EVK7ooCbgsVQjQHOH
Malware Config
Extracted
darkcomet
Guest16
gameservice.ddns.net:4320
DC_MUTEX-WBUNVXD
-
InstallPath
AudioDriver\taskhost.exe
-
gencode
EWSsWwgyJrUD
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
AudioDriver
Targets
-
-
Target
taskhost.exe
-
Size
1MB
-
MD5
0d833c6509f350e0a15492597df2bda6
-
SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f
-
SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7
-
SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118
-
SSDEEP
24576:Aam94ouZLkTDc90EVK7bsowfdCKWZQfgsVvGoYjQHFyHH:A2otPu0EVK7ooCbgsVQjQHOH
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-