General

  • Target

    bootrapper.exe

  • Size

    252KB

  • Sample

    241224-tqaqja1ren

  • MD5

    01953706ef629f45ee13fad39f460a3f

  • SHA1

    f8e1c54a525d78bb8566bda9c68e33ebd837ede2

  • SHA256

    790eda6eaf6d80b9411b25cee4923f786047cac3cdf305406a48352ac1e8d7ef

  • SHA512

    3f82938efb0371edf0b6320439b051b2d6e61b98a3b9b0cb110cec5786ed5868f01822c1d5663e641be09969399e669141df6ecdcbb45202da7a37cd2174bce6

  • SSDEEP

    6144:DcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37j:DcW7KEZlPzCy37

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1f63242

C2

rose324-33082.portmap.host:33082

Mutex

DC_MUTEX-P2LESEA

Attributes
  • InstallPath

    MSDCSC\msdcsjc.exe

  • gencode

    lGW4qX7RHbjT

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    reahltekaudio

Targets

    • Target

      bootrapper.exe

    • Size

      252KB

    • MD5

      01953706ef629f45ee13fad39f460a3f

    • SHA1

      f8e1c54a525d78bb8566bda9c68e33ebd837ede2

    • SHA256

      790eda6eaf6d80b9411b25cee4923f786047cac3cdf305406a48352ac1e8d7ef

    • SHA512

      3f82938efb0371edf0b6320439b051b2d6e61b98a3b9b0cb110cec5786ed5868f01822c1d5663e641be09969399e669141df6ecdcbb45202da7a37cd2174bce6

    • SSDEEP

      6144:DcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37j:DcW7KEZlPzCy37

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks