General

  • Target

    ea3fbd5c4287cd70fc9f7afa9fcdb051590119328940ea4cc4ac81a7354a099f

  • Size

    780KB

  • Sample

    240216-zbs68afd4z

  • MD5

    8856421fb1466402d641740f0c245f0e

  • SHA1

    b4a6f32c39998ff4ab1e2dc909e9a3c9af9b0af4

  • SHA256

    ea3fbd5c4287cd70fc9f7afa9fcdb051590119328940ea4cc4ac81a7354a099f

  • SHA512

    a31f6c68674ee7dba18eb9611dd1edec48870619bce17e9591c342f1be3bc58330b56e64dd90791dd1800a51fd15e2901e80398682ea2e6de29a62d2435490bd

  • SSDEEP

    12288:8zxzTDWikLSb4NS7ET+tG1X2K0Ljdb2L9uSnSNRZj4qsKfI95BFuvuzwd9:6DWHSb4Nh8K0LkxuSSNRZlM79k9

Malware Config

Extracted

Family

darkcomet

Botnet

Microsoft

C2

17.ip.gl.ply.gg:8888

17.ip.gl.ply.gg:62996

Mutex

DC_MUTEX-GGMC9ZS

Attributes
  • InstallPath

    Java\java.exe

  • gencode

    TEzt39PRTRWW

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Java

Targets

    • Target

      ea3fbd5c4287cd70fc9f7afa9fcdb051590119328940ea4cc4ac81a7354a099f

    • Size

      780KB

    • MD5

      8856421fb1466402d641740f0c245f0e

    • SHA1

      b4a6f32c39998ff4ab1e2dc909e9a3c9af9b0af4

    • SHA256

      ea3fbd5c4287cd70fc9f7afa9fcdb051590119328940ea4cc4ac81a7354a099f

    • SHA512

      a31f6c68674ee7dba18eb9611dd1edec48870619bce17e9591c342f1be3bc58330b56e64dd90791dd1800a51fd15e2901e80398682ea2e6de29a62d2435490bd

    • SSDEEP

      12288:8zxzTDWikLSb4NS7ET+tG1X2K0Ljdb2L9uSnSNRZj4qsKfI95BFuvuzwd9:6DWHSb4Nh8K0LkxuSSNRZlM79k9

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks