General

  • Target

    gay.vmp.exe

  • Size

    3.4MB

  • Sample

    250224-ny42fs1jw6

  • MD5

    54d74323a9382ca46d533d57dc3798fd

  • SHA1

    001721db4ec94edfe21530940173ebc60e64d0c9

  • SHA256

    61ffa10fa68639632136428fe16528e6745d18773cd9195773340e0cdb07f089

  • SHA512

    3e66b1fc37f296553194a954384dd51ebeb8aca5ab999ba68bc651a2312d2305d944536d220f7f827b6b27a9399245480840d9d21a8c24ccefd53c706b173c54

  • SSDEEP

    98304:S8NX0hfNrujZvkwKGz8XuDAWzGkGUHV23qmzWF6c:L6lFSBKxeDAAGfR3vzi

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

hai1723rat.serveminecraft.net:7560

Mutex

DC_MUTEX-95G7AC1

Attributes
  • InstallPath

    7560\msdcsc.exe

  • gencode

    osFKzQR4UCG6

  • install

    true

  • offline_keylogger

    true

  • password

    TAODEPTRAIOK

  • persistence

    true

  • reg_key

    updatesever

rc4.plain

Targets

    • Target

      gay.vmp.exe

    • Size

      3.4MB

    • MD5

      54d74323a9382ca46d533d57dc3798fd

    • SHA1

      001721db4ec94edfe21530940173ebc60e64d0c9

    • SHA256

      61ffa10fa68639632136428fe16528e6745d18773cd9195773340e0cdb07f089

    • SHA512

      3e66b1fc37f296553194a954384dd51ebeb8aca5ab999ba68bc651a2312d2305d944536d220f7f827b6b27a9399245480840d9d21a8c24ccefd53c706b173c54

    • SSDEEP

      98304:S8NX0hfNrujZvkwKGz8XuDAWzGkGUHV23qmzWF6c:L6lFSBKxeDAAGfR3vzi

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks