General

  • Target

    a3c52927ac2b85f60a205fd2f2e90a65

  • Size

    627KB

  • Sample

    240225-pknb8acb5y

  • MD5

    a3c52927ac2b85f60a205fd2f2e90a65

  • SHA1

    c9829668db31ce439bb6d2f0ad70be6cf80468ca

  • SHA256

    29fa37b763393d81c06e2a75ee9e59351b2d82e8ab87adecd2f11d222cb0fbb6

  • SHA512

    2eb1e00c081c7358ed51fa675c7d29f7abb3b7e55b0da6f1c4d302e68935f34788002ee5da502af6da6ecdd0ab597efed66d7e0a149ed2d9c08b08d4bb9068b6

  • SSDEEP

    12288:rKP7lJ8l+/sx2OkDl2O2EFi/nfgwi+333u8Lo0poD0fytqV:+5J8ldx2fJrnK3331LogoIfytqV

Malware Config

Extracted

Family

darkcomet

Botnet

Tool-01

C2

doctor12.no-ip.org:1604

Mutex

DC_MUTEX-A64KEZW

Attributes
  • gencode

    2mp1vedcVuuz

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      a3c52927ac2b85f60a205fd2f2e90a65

    • Size

      627KB

    • MD5

      a3c52927ac2b85f60a205fd2f2e90a65

    • SHA1

      c9829668db31ce439bb6d2f0ad70be6cf80468ca

    • SHA256

      29fa37b763393d81c06e2a75ee9e59351b2d82e8ab87adecd2f11d222cb0fbb6

    • SHA512

      2eb1e00c081c7358ed51fa675c7d29f7abb3b7e55b0da6f1c4d302e68935f34788002ee5da502af6da6ecdd0ab597efed66d7e0a149ed2d9c08b08d4bb9068b6

    • SSDEEP

      12288:rKP7lJ8l+/sx2OkDl2O2EFi/nfgwi+333u8Lo0poD0fytqV:+5J8ldx2fJrnK3331LogoIfytqV

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks