General
-
Target
3b1ecaa75aea2d88f951ad45dad108d7e1ba9fdf56bcc34fcf7ab8b58c5eeee2
-
Size
788KB
-
Sample
250102-1xc8kazqan
-
MD5
615d3ff5f5ce005a389a449840076c60
-
SHA1
8cb3f195b4448968c98c78182168d305103095bd
-
SHA256
3b1ecaa75aea2d88f951ad45dad108d7e1ba9fdf56bcc34fcf7ab8b58c5eeee2
-
SHA512
63f5613736c2b9f1be812356279ae90b4c3d421b6e5737b3e54090bc72317c0e10d3061b4c084c8dc10a59ae3eb514af85bca1b07cfef526d12a08c8839472e0
-
SSDEEP
24576:nydhdSZQgDjhwXklxaUpOh+bVtDSLVIlAiTc1iq:7Zd/WOxavh4VILVWAiTEj
Malware Config
Extracted
darkcomet
Hack
gnx.zapto.org:1604
DC_MUTEX-JPB8HU8
-
InstallPath
MSDCSC\AppleMobileDevide.exe
-
gencode
H0ZSpRUYyeXZ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
3b1ecaa75aea2d88f951ad45dad108d7e1ba9fdf56bcc34fcf7ab8b58c5eeee2
-
Size
788KB
-
MD5
615d3ff5f5ce005a389a449840076c60
-
SHA1
8cb3f195b4448968c98c78182168d305103095bd
-
SHA256
3b1ecaa75aea2d88f951ad45dad108d7e1ba9fdf56bcc34fcf7ab8b58c5eeee2
-
SHA512
63f5613736c2b9f1be812356279ae90b4c3d421b6e5737b3e54090bc72317c0e10d3061b4c084c8dc10a59ae3eb514af85bca1b07cfef526d12a08c8839472e0
-
SSDEEP
24576:nydhdSZQgDjhwXklxaUpOh+bVtDSLVIlAiTc1iq:7Zd/WOxavh4VILVWAiTEj
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1