General
-
Target
9743485fb879f786a975418b01003d39
-
Size
456KB
-
Sample
240212-qqdweaef2t
-
MD5
9743485fb879f786a975418b01003d39
-
SHA1
b3a41b2c1f82437f5bef0109fa4e884b03ade295
-
SHA256
3ab783b17d6fdd4f8a53053c46662b55c2625c41ff6fa40fcb06b5f90d15ffb1
-
SHA512
9a0fe2fbbeb352a8718b097e8b680f5e5f751cd4027190629d99c8da3df3f44b0864e8739a35a613e5f609aa943fed569e45332f7c67503011e2124c5cd34234
-
SSDEEP
12288:/aPSx9BQ26xD6CPqbohjayHxtgFVdNBHqFa6G:iPSx7Qx5vPJZRtgFV1Z6
Malware Config
Extracted
darkcomet
Guest16
lolol.no-ip.biz:1604
DC_MUTEX-J4N2A18
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
QJcHkMMH5Zvt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
9743485fb879f786a975418b01003d39
-
Size
456KB
-
MD5
9743485fb879f786a975418b01003d39
-
SHA1
b3a41b2c1f82437f5bef0109fa4e884b03ade295
-
SHA256
3ab783b17d6fdd4f8a53053c46662b55c2625c41ff6fa40fcb06b5f90d15ffb1
-
SHA512
9a0fe2fbbeb352a8718b097e8b680f5e5f751cd4027190629d99c8da3df3f44b0864e8739a35a613e5f609aa943fed569e45332f7c67503011e2124c5cd34234
-
SSDEEP
12288:/aPSx9BQ26xD6CPqbohjayHxtgFVdNBHqFa6G:iPSx7Qx5vPJZRtgFV1Z6
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1