General

  • Target

    c0e342ac962f7922722645e8bc2315a7c37e13d8b1f1e76dbb4cf8ad9e64fa83.exe

  • Size

    911KB

  • Sample

    241201-zdpa2s1mdt

  • MD5

    4f166133072870ee10e716ce07dce7d7

  • SHA1

    a45d9d51f63d7169f61a8298c3c1a6360836ac15

  • SHA256

    c0e342ac962f7922722645e8bc2315a7c37e13d8b1f1e76dbb4cf8ad9e64fa83

  • SHA512

    e219c7af0b7d3fd28c0c67e7b255ee0ab581cafc110f7204577ca22e50cc3fb64d9dd528c7dcaa8e5cf7434c284b35c836dcf8c985540325a156aad6c5f8af10

  • SSDEEP

    12288:GJd7xDyNZHN32RDRua9FZzrGHQTMDPnA46X3/aeSGxF10mhXWty7Xy5mQmkR/zEm:6dtuNtN32rRLZqQyp4HSGxZhXWO5m

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

efosa94949.no-ip.biz:1604

Mutex

DC_MUTEX-7SCGJWM

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    k0FWSrLTENGX

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      c0e342ac962f7922722645e8bc2315a7c37e13d8b1f1e76dbb4cf8ad9e64fa83.exe

    • Size

      911KB

    • MD5

      4f166133072870ee10e716ce07dce7d7

    • SHA1

      a45d9d51f63d7169f61a8298c3c1a6360836ac15

    • SHA256

      c0e342ac962f7922722645e8bc2315a7c37e13d8b1f1e76dbb4cf8ad9e64fa83

    • SHA512

      e219c7af0b7d3fd28c0c67e7b255ee0ab581cafc110f7204577ca22e50cc3fb64d9dd528c7dcaa8e5cf7434c284b35c836dcf8c985540325a156aad6c5f8af10

    • SSDEEP

      12288:GJd7xDyNZHN32RDRua9FZzrGHQTMDPnA46X3/aeSGxF10mhXWty7Xy5mQmkR/zEm:6dtuNtN32rRLZqQyp4HSGxZhXWO5m

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks