General

  • Target

    fc42dba54aad4d62a0e50112ef6cda210285f7fb1f388dc1a6ac6fab99335ba7

  • Size

    1.6MB

  • Sample

    241216-fmqqpavqbz

  • MD5

    d05d8198490af311c08159b1d19801e3

  • SHA1

    d8e458d94e97e0f4270ed76798cb53741094762c

  • SHA256

    fc42dba54aad4d62a0e50112ef6cda210285f7fb1f388dc1a6ac6fab99335ba7

  • SHA512

    d74f98ef1a24a8589e8c525b2848e8d4f78f412227fb3979c48d79d3b4a8428e9a30c4de0b01db301cec21f71f0ea36d8b599191236759128aec3ed382fe2490

  • SSDEEP

    49152:biRnatOaP7Y9k0wK7/l20+FxyqfuXBO15oAlwmSiNL:biotxPWk0wKzllEyIcBO1yAlJS

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

95.173.236.101:1604

Mutex

DC_MUTEX-QVKEB01

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    L14htyU8W4iS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      fc42dba54aad4d62a0e50112ef6cda210285f7fb1f388dc1a6ac6fab99335ba7

    • Size

      1.6MB

    • MD5

      d05d8198490af311c08159b1d19801e3

    • SHA1

      d8e458d94e97e0f4270ed76798cb53741094762c

    • SHA256

      fc42dba54aad4d62a0e50112ef6cda210285f7fb1f388dc1a6ac6fab99335ba7

    • SHA512

      d74f98ef1a24a8589e8c525b2848e8d4f78f412227fb3979c48d79d3b4a8428e9a30c4de0b01db301cec21f71f0ea36d8b599191236759128aec3ed382fe2490

    • SSDEEP

      49152:biRnatOaP7Y9k0wK7/l20+FxyqfuXBO15oAlwmSiNL:biotxPWk0wKzllEyIcBO1yAlJS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks