General

  • Target

    68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7

  • Size

    283KB

  • Sample

    240307-zl98gsed6y

  • MD5

    5d3a6ff4d3968270f9f09e351c24cb3c

  • SHA1

    4dbc0b4033cc9174e4fde4c382046205ac44b453

  • SHA256

    68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7

  • SHA512

    33904af3e7602c0c586ec1e8a4050ac3b9a5338798c42d94aa9e6317860716b74e28c13896d352a73f3ca0708959b3730dafb94121cb28bedd6424a807493e08

  • SSDEEP

    6144:AcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37+:AcW7KEZlPzCy37+

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

darkcomet3.ddns.net:1604

Mutex

DC_MUTEX-ZJFLPGE

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    J1Dp0ixzbN0M

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7

    • Size

      283KB

    • MD5

      5d3a6ff4d3968270f9f09e351c24cb3c

    • SHA1

      4dbc0b4033cc9174e4fde4c382046205ac44b453

    • SHA256

      68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7

    • SHA512

      33904af3e7602c0c586ec1e8a4050ac3b9a5338798c42d94aa9e6317860716b74e28c13896d352a73f3ca0708959b3730dafb94121cb28bedd6424a807493e08

    • SSDEEP

      6144:AcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37+:AcW7KEZlPzCy37+

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • UPX dump on OEP (original entry point)

    • Disables RegEdit via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

7
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks