General

  • Target

    orbit premium.rar

  • Size

    1.2MB

  • Sample

    240723-rj254athlk

  • MD5

    4f2734db91c53a00df72b5afe9e1def9

  • SHA1

    78efee23906fe99bff2a1878569e358ad735ae7f

  • SHA256

    6593b87dd50de13bfe02bee82b2a2f0a9842cca830d1db74ae28f4b35abcca88

  • SHA512

    4812798caafad81f537d621cdec361f398a578cbe28d72a137630c2b6916b503c4c98173393793f9ba396dc74c39cc3114e5fe0e0b33e6e623993ef96986bb82

  • SSDEEP

    24576:oPO4ko61ZHJry7ibIx8O5011XrtC3TnMLtd4AlFnKzW5PO4ko61ZHJONO:oPLwdlxbIx8O5SJrqTOX4gR5PLwd+O

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

novadomains.dudckdns.org:8989

www.novadomains.duckdns.org:8989

Mutex

DC_MUTEX-FQ8MCQ6

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    6AwR7PAURuR2

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      orbit premium/CSGhost-v4.3.0.exe

    • Size

      650KB

    • MD5

      66cb0d373bb2da5caaab6bdac4e28a2a

    • SHA1

      7ff393e0c3fa10b5a9784e66a053ff9ef9e50f56

    • SHA256

      2c62eff900c082b1d5bb235de81a7fe9b26fc1f62569413add120a78ac94cd87

    • SHA512

      f7f49c03a9c2953d93cf2d4253368e865c067ad1babf5ab1b471c7c07411ae95ae692dedc1b4bcd7414097f6f420a1c78750e96d4371954f9fddc579ab24b3de

    • SSDEEP

      12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+r:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+G6

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      orbit premium/VacBypass.exe

    • Size

      650KB

    • MD5

      755dae3e1516c174460a905a3ae600a4

    • SHA1

      2ca4fe9f2e41fad399acf300c72ebc9bb3fef3ef

    • SHA256

      8761ad02b925a5858fdbcd1b39faf5c6959e3149ebe4620271fd369c620ce2a9

    • SHA512

      81565a6b15907f2b934161500cd42c82867dc8655de6e34e9cddbc0d445e5b6848cc3330986f377013ea8eb39bd64a4ea82b232c7086b49eccf68985584c106f

    • SSDEEP

      12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+/:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+Ga

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      orbit premium/orbiteng.dll

    • Size

      1.5MB

    • MD5

      ca150e99884c888fb083fe6cc943b1de

    • SHA1

      061ac7c941401c3d3c9ddc212c2cf253183c88af

    • SHA256

      9417735b3c94569965bba5e900b43da016a1a51afbe1f2673608555a1aa6ced1

    • SHA512

      8a1a7cde171a2215835adee400bba5d3e4b4a6ddd9f6c23b42fe402caf165ea281fd58ded6cd26135e72cf886c29ea32c55b56280cde518000369fbbcbaff51d

    • SSDEEP

      24576:yWqeulhybTR4MfZ+ztqZQXWaGa76iWrpGZrU0VcgFgncFs9myr8lWu:yPnhkuwyG0nFgnSs9myYlWu

    Score
    5/10
    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks