General

  • Target

    eer.scr

  • Size

    659KB

  • Sample

    241224-tvtn7ssjdl

  • MD5

    be29e126a2cb27cc281d4504ab88555b

  • SHA1

    32c2fd591ecc7a42e54c8e4f62eeb4669e343bc9

  • SHA256

    e24930d91f43b695bc71cbcf0ce9e924f3f83787c29e5671aa412806468f3f30

  • SHA512

    bb0cbae3105846938a5954cfe089917330ed163c85f9ad19ff73133c3d32e8a5548aaa117cb28c341686b3eae591c7a29737eb706b65a0edc8c1f70fea6d4f02

  • SSDEEP

    12288:O9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hb:aZ1xuVVjfFoynPaVBUR8f+kN10EBN

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1f63242m

C2

rose324-64643.portmap.host:64643

Mutex

DC_MUTEX-E28WFKY

Attributes
  • InstallPath

    MSDCSC\msdcsjc.exe

  • gencode

    AXE6r2QM7fs8

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    reahltekaudio

Targets

    • Target

      eer.scr

    • Size

      659KB

    • MD5

      be29e126a2cb27cc281d4504ab88555b

    • SHA1

      32c2fd591ecc7a42e54c8e4f62eeb4669e343bc9

    • SHA256

      e24930d91f43b695bc71cbcf0ce9e924f3f83787c29e5671aa412806468f3f30

    • SHA512

      bb0cbae3105846938a5954cfe089917330ed163c85f9ad19ff73133c3d32e8a5548aaa117cb28c341686b3eae591c7a29737eb706b65a0edc8c1f70fea6d4f02

    • SSDEEP

      12288:O9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hb:aZ1xuVVjfFoynPaVBUR8f+kN10EBN

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks