General
-
Target
FPSgamefix.exe
-
Size
251KB
-
Sample
240209-bha28afc58
-
MD5
3f17ff4d31f35de16855e3a500c254c9
-
SHA1
ebeb7aa5f9fe1d8288277d11918f06525a3c7dc7
-
SHA256
aa8881fdcaa08ae11809accd75aa3a17c59cc1d711927bcef1210502dc99464f
-
SHA512
cb3dad781a54aadbb600c46c76b58a8f02f5a6e93eb368d6d83165f59db2f5007ec6d9617a2621fb0920f9d99f0964e2c61b4b84d5abe85211b7dd2eb084f62e
-
SSDEEP
6144:1cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37Vkv:1cW7KEZlPzCy37Vw
Malware Config
Extracted
darkcomet
Guest16
8.tcp.us-cal-1.ngrok.io:14496
4.tcp.us-cal-1.ngrok.io:12688
DC_MUTEX-54YN9CA
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
XMXbcA0sjT4Y
-
install
true
-
offline_keylogger
true
-
password
skidhunt1337
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
FPSgamefix.exe
-
Size
251KB
-
MD5
3f17ff4d31f35de16855e3a500c254c9
-
SHA1
ebeb7aa5f9fe1d8288277d11918f06525a3c7dc7
-
SHA256
aa8881fdcaa08ae11809accd75aa3a17c59cc1d711927bcef1210502dc99464f
-
SHA512
cb3dad781a54aadbb600c46c76b58a8f02f5a6e93eb368d6d83165f59db2f5007ec6d9617a2621fb0920f9d99f0964e2c61b4b84d5abe85211b7dd2eb084f62e
-
SSDEEP
6144:1cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37Vkv:1cW7KEZlPzCy37Vw
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-