General
-
Target
3ca06deaa1db0bb6853a63f8f3f1aab51fd1508d79b698e1a95bd7b878738263
-
Size
1.3MB
-
Sample
250212-17a6yszkg1
-
MD5
36184c308fc88f7d55fbea44f4624f61
-
SHA1
750cdded9a235e6b18b88488e2e3d70675be56dd
-
SHA256
3ca06deaa1db0bb6853a63f8f3f1aab51fd1508d79b698e1a95bd7b878738263
-
SHA512
dcc6c44ce3ff3192d7872c24fd7f1c09f38c58a907295752e33d93531145ae06f6118510873649547529d6069bd6d9600ddeeff0a56ebed8718d3c62eb1908c6
-
SSDEEP
24576:bZ1xuVVjfFoynPaVBUR8f+kN10EBSZ1xuVVjfFoynPaVBUR8f+kN10EBC:9QDgok30dQDgok30R
Malware Config
Extracted
darkcomet
Guest16
husodct.duckdns.org:63
DC_MUTEX-GEQM67F
-
InstallPath
Windows Update
-
gencode
lKYGgTjpdSJN
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Win Update
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Targets
-
-
Target
3ca06deaa1db0bb6853a63f8f3f1aab51fd1508d79b698e1a95bd7b878738263
-
Size
1.3MB
-
MD5
36184c308fc88f7d55fbea44f4624f61
-
SHA1
750cdded9a235e6b18b88488e2e3d70675be56dd
-
SHA256
3ca06deaa1db0bb6853a63f8f3f1aab51fd1508d79b698e1a95bd7b878738263
-
SHA512
dcc6c44ce3ff3192d7872c24fd7f1c09f38c58a907295752e33d93531145ae06f6118510873649547529d6069bd6d9600ddeeff0a56ebed8718d3c62eb1908c6
-
SSDEEP
24576:bZ1xuVVjfFoynPaVBUR8f+kN10EBSZ1xuVVjfFoynPaVBUR8f+kN10EBC:9QDgok30dQDgok30R
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1