General

  • Target

    530f7ced4a53a9523609c6a7a1acc89e831e530653bb690b05487a217d2fcc6d.exe

  • Size

    2.8MB

  • Sample

    241201-tqqrrawjdw

  • MD5

    6d845955c67966fe45bc5c18ce252acc

  • SHA1

    6c594dca66db83d9409d02a0c48a7ef7a859d10e

  • SHA256

    530f7ced4a53a9523609c6a7a1acc89e831e530653bb690b05487a217d2fcc6d

  • SHA512

    026516b797b4aa405a316d2a2f90a15c4e0ad3fe353c7451ad7c21039b201418de1b9ec8c2a648381ef5eb38a1c7e92842e58ee0bffd03b77ffd72503033a505

  • SSDEEP

    49152:aELbVMTrOq4qQoJZdiyqcsxWjI9I/KTvUwhqh:a6b+f7QoPjIS/KTMwE

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

kbotdarkorbit.no-ip.org:10

189.186.45.5:10

192.168.1.196:10

Mutex

DC_MUTEX-RK3KJAL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    CYK1BgXzzXZt

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      530f7ced4a53a9523609c6a7a1acc89e831e530653bb690b05487a217d2fcc6d.exe

    • Size

      2.8MB

    • MD5

      6d845955c67966fe45bc5c18ce252acc

    • SHA1

      6c594dca66db83d9409d02a0c48a7ef7a859d10e

    • SHA256

      530f7ced4a53a9523609c6a7a1acc89e831e530653bb690b05487a217d2fcc6d

    • SHA512

      026516b797b4aa405a316d2a2f90a15c4e0ad3fe353c7451ad7c21039b201418de1b9ec8c2a648381ef5eb38a1c7e92842e58ee0bffd03b77ffd72503033a505

    • SSDEEP

      49152:aELbVMTrOq4qQoJZdiyqcsxWjI9I/KTvUwhqh:a6b+f7QoPjIS/KTMwE

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks