Overview

overview

10

Static

static

3

DarkComet ...WB.exe

windows7-x64

10

DarkComet ...WB.exe

windows10-2004-x64

10

sqlite3.dll

windows7-x64

3

sqlite3.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DarkComet_-_v.5.3.1_FWB.zip

  • Size

    15.2MB

  • Sample

    250114-hhnfwaskdl

  • MD5

    2198e442609a28a84653d700ef1fb501

  • SHA1

    c6caa5d1b457de542f04d5845d67c5c7676db148

  • SHA256

    adbc98dac44fb8972064a49ebb3112bd4fd0cdee6717a19bcc18553321a068d6

  • SHA512

    cff1a782b912a44af8ab12770b2a76dd494ae8fdc596b0c7f67ff1e2902f72cdf3807a6675dec4972ed7459bd1c47eaa839c7fb04fa4004b2214de0f1965bdf7

  • SSDEEP

    393216:uFj55EAdqMASOu3kIxQbtTXQpeaFmPxwX+8uKzk:uFF5dmSONxbtTAkaF0o+80

Score
10/10
darkcometguest16discoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dnsali.3utilities.com:1604

Mutex

DC_MUTEX-S3VT824

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    aedfreoKqqaC

  • install

    true

  • offline_keylogger

    true

  • password

    12022005

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      DarkComet - v.5.3.1 FWB.exe

    • Size

      17.4MB

    • MD5

      c024f8b0b4261b9be1b91c6ade2dda7c

    • SHA1

      4906f7060ab6480b74f7595c35d980c6362fc5b2

    • SHA256

      8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4

    • SHA512

      0ad21960063804c974f09dc7043e9ed4f0769387bab72e391dc2d51ad0a01e385a5b00c6047ec9c7907023aebeb3d61b7725052c7d980a607e220222eb760d43

    • SSDEEP

      196608:j9MP1MAjVO50UX2gZ71Sh2c8YcGrDUHFy0L+jvKqivOt4AdomZ0p1lm2fB1p4oUg:j9MP1Q6F8RC8tQRiqcU4mzKp1E2fBS

    Score
    10/10
    darkcometguest16discoverypersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      sqlite3.dll

    • Size

      510KB

    • MD5

      d3979db259f55d59b4edb327673c1905

    • SHA1

      0697e8f35b5951c61a3a632d74fd96843c941628

    • SHA256

      043e5570299c6099756c1809c5632eabeab95ed3c1a55c86843c0ec218940e5a

    • SHA512

      0b87c89aafd3e627c7d6bed0b833601fea1917a76a972061f32a2d9e4aa2e9e85b5e8a67cb330ca44aff17915d0fe2793798451a109d3f0b5014eed06b73bb45

    • SSDEEP

      12288:eiTjR6kna/KzsHIoufPiL5JXjKaarzWovTSmja9q96fQkw8dw:em8NCzsooOPiXT6rSov2mjVw3w

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks