General

  • Target

    6ebfa74efede9f7cccad2bb4626b3b29

  • Size

    1.8MB

  • Sample

    240122-e9dh7sgeak

  • MD5

    6ebfa74efede9f7cccad2bb4626b3b29

  • SHA1

    cd5c7ffbfe5727c90a6608629b785030248aa343

  • SHA256

    470b9f38d9ed2d265b830dc1f179fb9586f034c2750f971b8711efaac4fc4db7

  • SHA512

    009d55659f7d20adef8e10ec4a9a93e87f06a6ecd2dbe2d7540500629a395d173022ae482d7d6aa18419237d8fb5b24af19f0bc3fb0d552756017f46406de923

  • SSDEEP

    49152:ckwkn9IMHeaMz09WvuQNi9TtEFORuGsdynaIaPCS:XdnVjfZt1Da3PC

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

10.10.0.100:1604

Mutex

DC_MUTEX-Y36LJJY

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    ETGxRJakcHtE

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6ebfa74efede9f7cccad2bb4626b3b29

    • Size

      1.8MB

    • MD5

      6ebfa74efede9f7cccad2bb4626b3b29

    • SHA1

      cd5c7ffbfe5727c90a6608629b785030248aa343

    • SHA256

      470b9f38d9ed2d265b830dc1f179fb9586f034c2750f971b8711efaac4fc4db7

    • SHA512

      009d55659f7d20adef8e10ec4a9a93e87f06a6ecd2dbe2d7540500629a395d173022ae482d7d6aa18419237d8fb5b24af19f0bc3fb0d552756017f46406de923

    • SSDEEP

      49152:ckwkn9IMHeaMz09WvuQNi9TtEFORuGsdynaIaPCS:XdnVjfZt1Da3PC

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks