General

  • Target

    İcespoofer®.exe

  • Size

    266KB

  • Sample

    240119-n9hbtsdebk

  • MD5

    5fe7370d405c4a98bc87e031d28baccb

  • SHA1

    49f14dceb36ab66cb78111e9f7fa5b763d949555

  • SHA256

    07fda6f39b01914b60f2843c52a0671bdbdf6db2ec9732b8701c29b4e98a27ff

  • SHA512

    6d4c27de20a1020e3f68aa7e9820aab4209d90d6e5bf9a0254bf15e167033bdcfaf2c00b08b37c426008da74dba495e0277d59f589bb9dc042e559c2a0f3f7f2

  • SSDEEP

    6144:EcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37M:EcW7KEZlPzCy37

Malware Config

Extracted

Family

darkcomet

Botnet

Kurban

C2

tr3.localto.net:45797

Mutex

DC_MUTEX-BAXXEKF

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    K6r5XHNMqZyt

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Windows Health Services

Targets

    • Target

      İcespoofer®.exe

    • Size

      266KB

    • MD5

      5fe7370d405c4a98bc87e031d28baccb

    • SHA1

      49f14dceb36ab66cb78111e9f7fa5b763d949555

    • SHA256

      07fda6f39b01914b60f2843c52a0671bdbdf6db2ec9732b8701c29b4e98a27ff

    • SHA512

      6d4c27de20a1020e3f68aa7e9820aab4209d90d6e5bf9a0254bf15e167033bdcfaf2c00b08b37c426008da74dba495e0277d59f589bb9dc042e559c2a0f3f7f2

    • SSDEEP

      6144:EcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37M:EcW7KEZlPzCy37

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks