General

  • Target

    f9197d5a2e2d7a2b2f80bb387f7d2c28

  • Size

    1.2MB

  • Sample

    231228-z8w95sgegn

  • MD5

    f9197d5a2e2d7a2b2f80bb387f7d2c28

  • SHA1

    4852766feb4948903bc09c9a493bf0f0398c0095

  • SHA256

    5bfa91a23214f1a4bba7efffd224e5fdde2e7b69ecd9fe286b62451585c577a9

  • SHA512

    6a53efdd665ccc6cc0bcd287809326ec9af28b584d14bf448d944fdbca27abde5362353c5793277bd29cffb79a322d034721d120060574aa667335551eff8718

  • SSDEEP

    24576:Y2O/GlDHqFHHVDFNEzQbCG3/QJfSPXYuTfx8n2VuFSWVxNu:nHUYQjQhUo0WbsGxQ

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Extracted

Family

darkcomet

Botnet

NEWBABY2

C2

dcthings.changeip.org:988

Mutex

DC_MUTEX-HMSY2RH

Attributes
  • gencode

    a2CQEonCR87h

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      f9197d5a2e2d7a2b2f80bb387f7d2c28

    • Size

      1.2MB

    • MD5

      f9197d5a2e2d7a2b2f80bb387f7d2c28

    • SHA1

      4852766feb4948903bc09c9a493bf0f0398c0095

    • SHA256

      5bfa91a23214f1a4bba7efffd224e5fdde2e7b69ecd9fe286b62451585c577a9

    • SHA512

      6a53efdd665ccc6cc0bcd287809326ec9af28b584d14bf448d944fdbca27abde5362353c5793277bd29cffb79a322d034721d120060574aa667335551eff8718

    • SSDEEP

      24576:Y2O/GlDHqFHHVDFNEzQbCG3/QJfSPXYuTfx8n2VuFSWVxNu:nHUYQjQhUo0WbsGxQ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks