darkcomet

General

Target

spoofer_midnight_scpsl.exe
Size

40MB
Sample

230907-rz6s8aaf56
MD5

3d3c14010419dc1ced85b44cf9c91f38
SHA1

be08b0efb0e4ed41c0837e6ebdb8fe63b95b1a26
SHA256

81b1e693a8142ae13395872085ca81a46cb36898a2105d192c25d5b69b1beabc
SHA512

7bfc2fdf16532214b26194a45d3272ab7d70c1ff5998f0c14c3ce1d7713611a99a93daeba20ff09e4d89e0ee4cb12b9ea28c6c81eb56cff268687ba9412e06a6
SSDEEP

786432:QYfYQm3bdf9Pj2pyvKt63puY2IuTAMddSlXpIUGkIC3cVYKeZW8I:QYfYQm3bBFj2UvK45uY2RAMddSlXp3GD

Score

10^/10

Malware Config

Extracted

Family

darkcomet

C2

:

Mutex

DC_MUTEX-VV0895Y

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ugXab0bmLSfg
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  spoofer_midnight_scpsl.exe
- Size
  
  40MB
- MD5
  
  3d3c14010419dc1ced85b44cf9c91f38
- SHA1
  
  be08b0efb0e4ed41c0837e6ebdb8fe63b95b1a26
- SHA256
  
  81b1e693a8142ae13395872085ca81a46cb36898a2105d192c25d5b69b1beabc
- SHA512
  
  7bfc2fdf16532214b26194a45d3272ab7d70c1ff5998f0c14c3ce1d7713611a99a93daeba20ff09e4d89e0ee4cb12b9ea28c6c81eb56cff268687ba9412e06a6
- SSDEEP
  
  786432:QYfYQm3bdf9Pj2pyvKt63puY2IuTAMddSlXpIUGkIC3cVYKeZW8I:QYfYQm3bBFj2UvK45uY2RAMddSlXp3GD
Score

10^/10

darkcomet evasion persistence pyinstaller rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  6669999 (1).pyc
- Size
  
  2KB
- MD5
  
  727d8ce363c068de369b9e3ad3f0e991
- SHA1
  
  9706e9d3f18964362ce7e8668d33885ede6bee7f
- SHA256
  
  df001d3cdaccee82d77e4b675c2ad91c845415918535dcf10402d6340dc6073d
- SHA512
  
  753e14722131eb2811a1e469adf4823403867af3ec2ab32db7b5b65f13c3b27bf68ea84c664499734f67567f5a58ef9dac3c2a101cbc4218b2a7dbcf129d1ec8
Score

3^/10
behavioral2