General

  • Target

    e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca

  • Size

    1.1MB

  • Sample

    240414-c85j7ade62

  • MD5

    e88bab5d7caf5f30f87e56fce21b8eb4

  • SHA1

    32bf71fcec9a64e9d8adf36201b15803a9d5812d

  • SHA256

    e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca

  • SHA512

    7cff1f10c83247257d30508ac9d8aa6a12bd1f536bcc3aee95b61144584d839e350d38f3fc1cf11b4b1da6530e5191291af1bfdbf8c906e124b7abcf14e5f3e1

  • SSDEEP

    24576:mJwXnr79xF09allHpm/rhUZqACJy5aGU:mu3rl7PmThVAOycGU

Malware Config

Extracted

Family

darkcomet

Botnet

crypter

C2

184.144.223.8:51800

overcrash.no-ip.biz:51800

Mutex

DC_MUTEX-E5P79CY

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    7LSrP3sXvcog

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca

    • Size

      1.1MB

    • MD5

      e88bab5d7caf5f30f87e56fce21b8eb4

    • SHA1

      32bf71fcec9a64e9d8adf36201b15803a9d5812d

    • SHA256

      e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca

    • SHA512

      7cff1f10c83247257d30508ac9d8aa6a12bd1f536bcc3aee95b61144584d839e350d38f3fc1cf11b4b1da6530e5191291af1bfdbf8c906e124b7abcf14e5f3e1

    • SSDEEP

      24576:mJwXnr79xF09allHpm/rhUZqACJy5aGU:mu3rl7PmThVAOycGU

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks