General
-
Target
bootrapper.exe
-
Size
659KB
-
Sample
241224-thdgfs1mft
-
MD5
47d6f4568c595516da96c145041a3cb5
-
SHA1
c154426bdaaf8c990a7b74e66704b5bb1d211e9b
-
SHA256
b2bf2e2342c30fa96bf81879c95051176487b952795c2518a43af4985cb4c7cf
-
SHA512
6560d49aa1e2f179b9207cfd424e69a4805a696fd6ac5c7d2227fbfa8fe02bb52e9798ce7db91e666475b841dd0e118514f2e8f512c5e7cfc4c5b9d8a5c3f6c2
-
SSDEEP
12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hQ:uZ1xuVVjfFoynPaVBUR8f+kN10EBa
Malware Config
Extracted
darkcomet
Guest165
rose324-33082.portmap.host:33082
DC_MUTEX-VFEJX89
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
pmatwZA6QE8v
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
realtekaudio
Targets
-
-
Target
bootrapper.exe
-
Size
659KB
-
MD5
47d6f4568c595516da96c145041a3cb5
-
SHA1
c154426bdaaf8c990a7b74e66704b5bb1d211e9b
-
SHA256
b2bf2e2342c30fa96bf81879c95051176487b952795c2518a43af4985cb4c7cf
-
SHA512
6560d49aa1e2f179b9207cfd424e69a4805a696fd6ac5c7d2227fbfa8fe02bb52e9798ce7db91e666475b841dd0e118514f2e8f512c5e7cfc4c5b9d8a5c3f6c2
-
SSDEEP
12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hQ:uZ1xuVVjfFoynPaVBUR8f+kN10EBa
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Modifies security service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6