General

  • Target

    nigger.exe.exe

  • Size

    659KB

  • Sample

    241209-r52rfswlcn

  • MD5

    4d0069878257afd27433e0db326b8e63

  • SHA1

    d00368f8a80adaf4dd1e3ff6800e69d6efb1a1b2

  • SHA256

    1164de18c44320bc1d92310c7002185d2a06f45bba23500dd0ad88767cee9352

  • SHA512

    868c01f85b390f83519d628493c9d2b8d0e3e912ff1f9308ed0978e21356d32086845d4a4179dc89a850de89ea2de5563cd0b3e46684f97e9344401e103a814a

  • SSDEEP

    12288:W9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hp:yZ1xuVVjfFoynPaVBUR8f+kN10EB3

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

rose324-37147.portmap.host:37147

Mutex

DC_MUTEX-YULHUJ6

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    X3yvBS4bvB0u

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    realtekaudio

Targets

    • Target

      nigger.exe.exe

    • Size

      659KB

    • MD5

      4d0069878257afd27433e0db326b8e63

    • SHA1

      d00368f8a80adaf4dd1e3ff6800e69d6efb1a1b2

    • SHA256

      1164de18c44320bc1d92310c7002185d2a06f45bba23500dd0ad88767cee9352

    • SHA512

      868c01f85b390f83519d628493c9d2b8d0e3e912ff1f9308ed0978e21356d32086845d4a4179dc89a850de89ea2de5563cd0b3e46684f97e9344401e103a814a

    • SSDEEP

      12288:W9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hp:yZ1xuVVjfFoynPaVBUR8f+kN10EB3

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks