General

  • Target

    bootrapper.exe

  • Size

    659KB

  • Sample

    241224-thdgfs1mft

  • MD5

    47d6f4568c595516da96c145041a3cb5

  • SHA1

    c154426bdaaf8c990a7b74e66704b5bb1d211e9b

  • SHA256

    b2bf2e2342c30fa96bf81879c95051176487b952795c2518a43af4985cb4c7cf

  • SHA512

    6560d49aa1e2f179b9207cfd424e69a4805a696fd6ac5c7d2227fbfa8fe02bb52e9798ce7db91e666475b841dd0e118514f2e8f512c5e7cfc4c5b9d8a5c3f6c2

  • SSDEEP

    12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hQ:uZ1xuVVjfFoynPaVBUR8f+kN10EBa

Malware Config

Extracted

Family

darkcomet

Botnet

Guest165

C2

rose324-33082.portmap.host:33082

Mutex

DC_MUTEX-VFEJX89

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    pmatwZA6QE8v

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    realtekaudio

Targets

    • Target

      bootrapper.exe

    • Size

      659KB

    • MD5

      47d6f4568c595516da96c145041a3cb5

    • SHA1

      c154426bdaaf8c990a7b74e66704b5bb1d211e9b

    • SHA256

      b2bf2e2342c30fa96bf81879c95051176487b952795c2518a43af4985cb4c7cf

    • SHA512

      6560d49aa1e2f179b9207cfd424e69a4805a696fd6ac5c7d2227fbfa8fe02bb52e9798ce7db91e666475b841dd0e118514f2e8f512c5e7cfc4c5b9d8a5c3f6c2

    • SSDEEP

      12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hQ:uZ1xuVVjfFoynPaVBUR8f+kN10EBa

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks