General

  • Target

    a578a73206126c16a1e1e2a45d4c4d4b8cb878ffd293f749dab65292252b9b2b.exe

  • Size

    742KB

  • Sample

    241201-rv8f9atmdw

  • MD5

    bd1e7ad6e631650ad2fe10011c9ab7fa

  • SHA1

    16152018d004af3546bb759e12b29d4f4e8722bb

  • SHA256

    a578a73206126c16a1e1e2a45d4c4d4b8cb878ffd293f749dab65292252b9b2b

  • SHA512

    1dcc024c62132814af402b16afad201e15b97b16cfdf4beef8563aa97cd2d8635f441fb10a5747994c323de2d1a5f36f03dfa95d4e75bd506fb0a2d58d4f7876

  • SSDEEP

    12288:UrAeSye4BLE0RnRO0GiAlQUZM6GR9jrHNCqZO0ZaF8RivkDOn7Ypca1oymIW2J8f:CAZyUNtiCK6c9jrtL8WnDAE2RIuws

Malware Config

Extracted

Family

darkcomet

Botnet

Dragonica

C2

192.168.0.13:1604

85.168.104.237:1604

Mutex

DC_MUTEX-AE11EHH

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    3E1WoVyr3qxU

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      a578a73206126c16a1e1e2a45d4c4d4b8cb878ffd293f749dab65292252b9b2b.exe

    • Size

      742KB

    • MD5

      bd1e7ad6e631650ad2fe10011c9ab7fa

    • SHA1

      16152018d004af3546bb759e12b29d4f4e8722bb

    • SHA256

      a578a73206126c16a1e1e2a45d4c4d4b8cb878ffd293f749dab65292252b9b2b

    • SHA512

      1dcc024c62132814af402b16afad201e15b97b16cfdf4beef8563aa97cd2d8635f441fb10a5747994c323de2d1a5f36f03dfa95d4e75bd506fb0a2d58d4f7876

    • SSDEEP

      12288:UrAeSye4BLE0RnRO0GiAlQUZM6GR9jrHNCqZO0ZaF8RivkDOn7Ypca1oymIW2J8f:CAZyUNtiCK6c9jrtL8WnDAE2RIuws

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Blocklisted process makes network request

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks