General

  • Target

    6f3b4ee8f744edeedfdf34e2da175194

  • Size

    392KB

  • Sample

    240122-kp44bachc7

  • MD5

    6f3b4ee8f744edeedfdf34e2da175194

  • SHA1

    82f2c9f799360483c888fba323224b51d7199305

  • SHA256

    56d0fd9e67ef644736a28aa546df092c4c18a6230b724bcb750c20c3c6a7cc4d

  • SHA512

    eddb31165635f6042c1784653c9b27f1f718c7efb0c17fa1876369725f6a82029d52cdc33f326b547fb70e8f826e36beced2083a48198a11def97878c4ada70b

  • SSDEEP

    6144:FQ3mMEH9mxnAWDNLzo91Mvz13sqd9yW6dM4R04utenb1DbV78g3pY:WmDdSAOdkrMz13vd1oMU0h0bLYg5

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

joannn.zapto.org:80

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    MvLWkVpD9cCK

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      6f3b4ee8f744edeedfdf34e2da175194

    • Size

      392KB

    • MD5

      6f3b4ee8f744edeedfdf34e2da175194

    • SHA1

      82f2c9f799360483c888fba323224b51d7199305

    • SHA256

      56d0fd9e67ef644736a28aa546df092c4c18a6230b724bcb750c20c3c6a7cc4d

    • SHA512

      eddb31165635f6042c1784653c9b27f1f718c7efb0c17fa1876369725f6a82029d52cdc33f326b547fb70e8f826e36beced2083a48198a11def97878c4ada70b

    • SSDEEP

      6144:FQ3mMEH9mxnAWDNLzo91Mvz13sqd9yW6dM4R04utenb1DbV78g3pY:WmDdSAOdkrMz13vd1oMU0h0bLYg5

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies security service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks