General

  • Target

    8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170N.exe

  • Size

    1.1MB

  • Sample

    241216-g32nkayrgp

  • MD5

    f3edc773c01fb12320894e8a2ad77a60

  • SHA1

    3d86b6de4f4f1b923e279701d754d049642930f2

  • SHA256

    8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170

  • SHA512

    1433d224bf7906af0d1212497fe44851d158cab1fe9f17cef54ccde33798d8f959d210a7f02f387ddae6e28f1a2d2f1b28421271d82b28fb82ccb9c009e68e71

  • SSDEEP

    24576:cxmevFZfsrcTxNUlZIVVa5ILh9Rhw6us5Tev:Ome9JpNUlyVa5I0s2

Malware Config

Extracted

Family

darkcomet

Botnet

HACKER3

C2

192.168.50.131:1604

Mutex

DC_MUTEX-3NPS047

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Y1vgLbKRvW3j

  • install

    true

  • offline_keylogger

    true

  • password

    WELCOME3

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170N.exe

    • Size

      1.1MB

    • MD5

      f3edc773c01fb12320894e8a2ad77a60

    • SHA1

      3d86b6de4f4f1b923e279701d754d049642930f2

    • SHA256

      8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170

    • SHA512

      1433d224bf7906af0d1212497fe44851d158cab1fe9f17cef54ccde33798d8f959d210a7f02f387ddae6e28f1a2d2f1b28421271d82b28fb82ccb9c009e68e71

    • SSDEEP

      24576:cxmevFZfsrcTxNUlZIVVa5ILh9Rhw6us5Tev:Ome9JpNUlyVa5I0s2

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks