General

  • Target

    cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

  • Size

    3.2MB

  • Sample

    241216-dqnpds1ndz

  • MD5

    f2395e55fc1ed3d2eda2a3bdd13d8af6

  • SHA1

    bf5fa44a16a1ba7d772b6722552ed9525a965ee1

  • SHA256

    cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

  • SHA512

    69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f

  • SSDEEP

    49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f

Malware Config

Extracted

Family

darkcomet

Botnet

ROLLEO

C2

127.0.0.1:1607

109.226.126.84:1607

Mutex

DC_MUTEX-SR7HAR4

Attributes
  • InstallPath

    WindowsDefencer\Update.exe

  • gencode

    TeJuc1dkNHmJ

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    Windows Defencer

Targets

    • Target

      cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

    • Size

      3.2MB

    • MD5

      f2395e55fc1ed3d2eda2a3bdd13d8af6

    • SHA1

      bf5fa44a16a1ba7d772b6722552ed9525a965ee1

    • SHA256

      cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

    • SHA512

      69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f

    • SSDEEP

      49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Disables RegEdit via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks