General

  • Target

    a6969b2e391455b3131e023910776904

  • Size

    742KB

  • Sample

    240226-rwg1pagc94

  • MD5

    a6969b2e391455b3131e023910776904

  • SHA1

    1ba26e45966d81346e4d12a0941414bb8229f55c

  • SHA256

    6dc2ef37a86f15cf2a29ca9aeb21a18a692875633716d002c184fc461befb27d

  • SHA512

    dc34edbade37150cd9c63a790670f2b21a8a43b60b302adc5d881ab8b0dd68d5e71c7b3bc4282d7e0bcaf6744ad03f44b54d734ec92a02c918aaa60dfa502761

  • SSDEEP

    12288:+y+opEZPrpfrnmqO8r/d7venrgAwDoikPJkYASdzKF/yl+beS3wpgkack5D2Zn7R:bOPrpfrmqZpbuMDUZA+c/7Z5qZ7kCIWp

Malware Config

Extracted

Family

darkcomet

Botnet

Latest

C2

fooroeling.zapto.org:1604

strullerool.zapto.org:1604

Mutex

DC_MUTEX-WQSL928

Attributes
  • InstallPath

    FileManaging.exe

  • gencode

    wKrptZU3QHh3

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Update

Targets

    • Target

      a6969b2e391455b3131e023910776904

    • Size

      742KB

    • MD5

      a6969b2e391455b3131e023910776904

    • SHA1

      1ba26e45966d81346e4d12a0941414bb8229f55c

    • SHA256

      6dc2ef37a86f15cf2a29ca9aeb21a18a692875633716d002c184fc461befb27d

    • SHA512

      dc34edbade37150cd9c63a790670f2b21a8a43b60b302adc5d881ab8b0dd68d5e71c7b3bc4282d7e0bcaf6744ad03f44b54d734ec92a02c918aaa60dfa502761

    • SSDEEP

      12288:+y+opEZPrpfrnmqO8r/d7venrgAwDoikPJkYASdzKF/yl+beS3wpgkack5D2Zn7R:bOPrpfrmqZpbuMDUZA+c/7Z5qZ7kCIWp

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks