General
-
Target
darkcomet_stub.exe
-
Size
662KB
-
Sample
240401-2n8hsahg73
-
MD5
10bf33fc0b791b5c123bf34647023e46
-
SHA1
e4859675bd2720c22c59d0bd9bfd4b637a1cd297
-
SHA256
9300b7b6bf1e06722e9daf487a52e75470583ed9ecb5078b5ad2b753c2179637
-
SHA512
b9ff6c60888b7bc3049e989190a92dd7b75625c621da319d555b94b310ba1ae407657f9f7398fb6d02d95542276023de8a1c45813d09a29b3c2ed7a9bb237785
-
SSDEEP
12288:03OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RQ:iOA4aWNn/m09fKIaaBEtWq3A1Ov8Jgbu
Behavioral task
behavioral1
Sample
darkcomet_stub.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
darkcomet_stub.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
darkcomet
Guest16
7.tcp.eu.ngrok.io:16086
DC_MUTEX-VVQ12R5
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
a5HjuWXn17aD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
darkcomet_stub.exe
-
Size
662KB
-
MD5
10bf33fc0b791b5c123bf34647023e46
-
SHA1
e4859675bd2720c22c59d0bd9bfd4b637a1cd297
-
SHA256
9300b7b6bf1e06722e9daf487a52e75470583ed9ecb5078b5ad2b753c2179637
-
SHA512
b9ff6c60888b7bc3049e989190a92dd7b75625c621da319d555b94b310ba1ae407657f9f7398fb6d02d95542276023de8a1c45813d09a29b3c2ed7a9bb237785
-
SSDEEP
12288:03OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RQ:iOA4aWNn/m09fKIaaBEtWq3A1Ov8Jgbu
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1