General

  • Target

    Exploit++ Downloader.exe

  • Size

    27KB

  • Sample

    241201-zgs4ea1nbv

  • MD5

    d363863c21f0d453eaaa438f00027554

  • SHA1

    7ba078266d3151068b500b9ce8cc4e579ad84a4a

  • SHA256

    12eafe77459f406a8187cb7675249dfed1b214f47eff60d1291b42ed00c576e4

  • SHA512

    1ff53e7a3f6eee3b99111a79bded3106fb809bd494b23839a5790a78f8b6baedbfaa707a16ceda481f93edde4d9b8bae06f12c444e16f7def5ce06f297f2bc37

  • SSDEEP

    384:SsuozKPc0cDxRHXLRq418p/d6tVqQ4m9lHM1UopuJE5UjovhObRZUbjMUWDBVhIB:TLLIXTEs1Urjov4RScUWD7hq7W2e0W0

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

147.185.221.24:14161

Mutex

RO_MUTEX-QFYD2RJ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    scW2Kk9yHEWs

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    GoogleDebugJ

Targets

    • Target

      Exploit++ Downloader.exe

    • Size

      27KB

    • MD5

      d363863c21f0d453eaaa438f00027554

    • SHA1

      7ba078266d3151068b500b9ce8cc4e579ad84a4a

    • SHA256

      12eafe77459f406a8187cb7675249dfed1b214f47eff60d1291b42ed00c576e4

    • SHA512

      1ff53e7a3f6eee3b99111a79bded3106fb809bd494b23839a5790a78f8b6baedbfaa707a16ceda481f93edde4d9b8bae06f12c444e16f7def5ce06f297f2bc37

    • SSDEEP

      384:SsuozKPc0cDxRHXLRq418p/d6tVqQ4m9lHM1UopuJE5UjovhObRZUbjMUWDBVhIB:TLLIXTEs1Urjov4RScUWD7hq7W2e0W0

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks