General
-
Target
ESLgdmd.exe
-
Size
658KB
-
Sample
240302-e6wwdaaf68
-
MD5
9a1296f15ba38db6500996f2ab63326b
-
SHA1
23fdace0f52b005b4a8c48f1e3d2328d1dc17daa
-
SHA256
4218376daccfef8f6ab886677d35f611742d87514f397ba364aecc31def43162
-
SHA512
4b95b505ad0c40a524106ecb74a21586076b3b83cce9039cb16890d91e62a7952a4bfcd55240ebad43af2f0a5dece71644e247983e89475bdddddda5ec5c1db1
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hxM:KZ1xuVVjfFoynPaVBUR8f+kN10EB7M
Malware Config
Extracted
darkcomet
Guest16
hacker201.no-ip.biz:1604
DC_MUTEX-5VHD9SM
-
InstallPath
Windupdt/winupdate.exe
-
gencode
0HWc2rAvaCd2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Targets
-
-
Target
ESLgdmd.exe
-
Size
658KB
-
MD5
9a1296f15ba38db6500996f2ab63326b
-
SHA1
23fdace0f52b005b4a8c48f1e3d2328d1dc17daa
-
SHA256
4218376daccfef8f6ab886677d35f611742d87514f397ba364aecc31def43162
-
SHA512
4b95b505ad0c40a524106ecb74a21586076b3b83cce9039cb16890d91e62a7952a4bfcd55240ebad43af2f0a5dece71644e247983e89475bdddddda5ec5c1db1
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hxM:KZ1xuVVjfFoynPaVBUR8f+kN10EB7M
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies security service
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1