General

  • Target

    b6b6a5213f8b3e7ce5306cd069dcbf5e

  • Size

    800KB

  • Sample

    240306-g1j1qsea93

  • MD5

    b6b6a5213f8b3e7ce5306cd069dcbf5e

  • SHA1

    9991f4da8630039b84f4bf8c1b45fec898fa80b7

  • SHA256

    27b67644170b08d57dcd8bb39d9b779632aad6697845015175e51e4801a42a5a

  • SHA512

    bb0deacba3eeca40fe69990c30a9a3cee3d82052d895a50e7c92b461ca19ecf6c1109209763b6df4ea2fe9c3565c672fe63c7a11dfd9692ba71fae223eafb6ea

  • SSDEEP

    12288:+f9tz7HqHG/niI+dExFzfPrwbg1llIfUls:+f7z7HqKsE+2lIff

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

speeed.hopto.org:147

Mutex

DC_MUTEX-HGY40HP

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    cNTlixxZgYma

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      b6b6a5213f8b3e7ce5306cd069dcbf5e

    • Size

      800KB

    • MD5

      b6b6a5213f8b3e7ce5306cd069dcbf5e

    • SHA1

      9991f4da8630039b84f4bf8c1b45fec898fa80b7

    • SHA256

      27b67644170b08d57dcd8bb39d9b779632aad6697845015175e51e4801a42a5a

    • SHA512

      bb0deacba3eeca40fe69990c30a9a3cee3d82052d895a50e7c92b461ca19ecf6c1109209763b6df4ea2fe9c3565c672fe63c7a11dfd9692ba71fae223eafb6ea

    • SSDEEP

      12288:+f9tz7HqHG/niI+dExFzfPrwbg1llIfUls:+f7z7HqKsE+2lIff

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks