General

  • Target

    6cdbdd6aafe20b82c8fd000181386e90

  • Size

    309KB

  • Sample

    240121-kmsbqsace7

  • MD5

    6cdbdd6aafe20b82c8fd000181386e90

  • SHA1

    0f43318e1b505b7810e8684c7a2f900d39a70098

  • SHA256

    a6fcef7f8c8fabeff5a2423aacef205611003a8481c47a238ab32683784909c3

  • SHA512

    9d28a5a4d6ebb375655075f9ea870ade5385354725252c9070967908f6c59958920d7ab4f201ad34b9527364e0191d92c14a7b8926f00a14cfb43cbab57d9d9f

  • SSDEEP

    6144:kbl2MQpS9cX5punAqosfrVzbN/2W3gt53uLEmmpK44YFNxQ2SYc:kb01EapjqdN/LS5+LE1pK44YLnY

Malware Config

Extracted

Family

darkcomet

Botnet

chi

C2

cute.no-ip.org:1604

Mutex

DC_MUTEX-AQVMBA6

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    uHpjeDbE2NpN

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6cdbdd6aafe20b82c8fd000181386e90

    • Size

      309KB

    • MD5

      6cdbdd6aafe20b82c8fd000181386e90

    • SHA1

      0f43318e1b505b7810e8684c7a2f900d39a70098

    • SHA256

      a6fcef7f8c8fabeff5a2423aacef205611003a8481c47a238ab32683784909c3

    • SHA512

      9d28a5a4d6ebb375655075f9ea870ade5385354725252c9070967908f6c59958920d7ab4f201ad34b9527364e0191d92c14a7b8926f00a14cfb43cbab57d9d9f

    • SSDEEP

      6144:kbl2MQpS9cX5punAqosfrVzbN/2W3gt53uLEmmpK44YFNxQ2SYc:kb01EapjqdN/LS5+LE1pK44YLnY

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Program crash

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks