General

  • Target

    5c2967e458b1ec2d30673da72b184e01e4cf920ee9d1d6ba4dce0327ee18bfdc

  • Size

    659KB

  • Sample

    240625-1nvfgsvgqa

  • MD5

    261b844e6da25c92ae954e3ea1aa8e6d

  • SHA1

    e47c91f39747414b4db6395657e07773fded1b8d

  • SHA256

    5c2967e458b1ec2d30673da72b184e01e4cf920ee9d1d6ba4dce0327ee18bfdc

  • SHA512

    3bebb565bb4b815cddbb42e031faadd9e387929ea5e8824da1baa96861281842b3b426114a4c04c03386332492a997477c1ce7be2ad62a309dbcc20d02c9473f

  • SSDEEP

    12288:G9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2:iZ1xuVVjfFoynPaVBUR8f+kN10EBo

Malware Config

Extracted

Family

darkcomet

Botnet

kurban

C2

192.168.1.1:1604

Mutex

DC_MUTEX-C3VMGYC

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    wlpTgvAh1kxx

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    system

Targets

    • Target

      5c2967e458b1ec2d30673da72b184e01e4cf920ee9d1d6ba4dce0327ee18bfdc

    • Size

      659KB

    • MD5

      261b844e6da25c92ae954e3ea1aa8e6d

    • SHA1

      e47c91f39747414b4db6395657e07773fded1b8d

    • SHA256

      5c2967e458b1ec2d30673da72b184e01e4cf920ee9d1d6ba4dce0327ee18bfdc

    • SHA512

      3bebb565bb4b815cddbb42e031faadd9e387929ea5e8824da1baa96861281842b3b426114a4c04c03386332492a997477c1ce7be2ad62a309dbcc20d02c9473f

    • SSDEEP

      12288:G9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2:iZ1xuVVjfFoynPaVBUR8f+kN10EBo

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks