General

  • Target

    03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe

  • Size

    5.3MB

  • Sample

    241207-zxsskstlgx

  • MD5

    c13d6d5a9aa229499ee0ff1f698a2ee0

  • SHA1

    2a7ac214047525c963cfd8d1be692c50bdbb9c46

  • SHA256

    03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84ba

  • SHA512

    5c9e4b30dbd6c5414ea04a70b109e6dc9f8287affe014e47ed0797ff63ac904223751557e44bff99cf8ecfce3c8b748cef55c1d3db88905431f4049039042059

  • SSDEEP

    98304:aOQGc830HeOIk0ons6U523lPWZIERFog7icldle+HJFD4:hrj30qkXnsr2YIIog7if+HJFs

Malware Config

Extracted

Family

darkcomet

Botnet

GoogleDebugger

C2

147.185.221.24:14161

Mutex

RO_MUTEX-8HU43EZ

Attributes
  • InstallPath

    ChromeCookies\ChromeCookie.exe

  • gencode

    WN0BLB8aPxBw

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    GoogleDebugJ

Targets

    • Target

      03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe

    • Size

      5.3MB

    • MD5

      c13d6d5a9aa229499ee0ff1f698a2ee0

    • SHA1

      2a7ac214047525c963cfd8d1be692c50bdbb9c46

    • SHA256

      03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84ba

    • SHA512

      5c9e4b30dbd6c5414ea04a70b109e6dc9f8287affe014e47ed0797ff63ac904223751557e44bff99cf8ecfce3c8b748cef55c1d3db88905431f4049039042059

    • SSDEEP

      98304:aOQGc830HeOIk0ons6U523lPWZIERFog7icldle+HJFD4:hrj30qkXnsr2YIIog7if+HJFs

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks