A forum for reverse engineering, OS internals and malware analysis 

Win32/Fynloski (DarkComet)

Forum for analysis and discussion about malware.

Re: Win32/Fynloski (DarkComet)

 #27828  by Xylitol
 Sat Feb 06, 2016 7:23 pm
http://vxvault.net/ViriList.php?MD5=42D ... 7A0C17A9ED
https://www.virustotal.com/en/file/8a08 ... 454786639/
[DE] 46.20.33.123 (46.20.32.0/20) ~ MYLOC-AS myLoc managed IT AG,DE
Code: Select all
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-79VYXBE}
SID={Ali_VICTIM}
FWB={0}
NETDATA={adipluto.dynu.com:30150|adipluto.dynu.com:203|plutorack.linkpc.net:508}
GENCODE={nbntMhFUWx0T}
INSTALL={1}
COMBOPATH={3}
EDTPATH={JAVA\run32dil.exe}
KEYNAME={Microsoft}
EDTDATE={16/04/2014}
PERSINST={1}
MELT={0}
CHANGEDATE={1}
DIRATTRIB={0}
FILEATTRIB={0}
CHIDEF={1}
PERS={1}
OFFLINEK={1}
#EOF DARKCOMET DATA --
Attachments
infected
(718.85 KiB) Downloaded 66 times

Re: Malware collection

 #31154  by tuxy0
 Mon Dec 25, 2017 11:31 am
Hi,
I found a Dark Comet sample.
The sample is packed in an unusual way (2 RAR SFX stages, 1 of them encrypted) and UPX.

Maybe the author wants to evade AV detection with this.
Sorry, I did not find any thread dealing with Dark Comet, so I post it here.

C2 is gamerforever.no-ip.biz:1604

Full config (extracted):
Code: Select all
'#BEGIN DARKCOMET DATA --',0Dh,0Ah
'PWD={josh}',0Dh,0Ah
'MUTEX={DC_MUTEX-YWU5NWT}',0Dh,0Ah
'SID={Guest16}',0Dh,0Ah
'FWB={0}',0Dh,0Ah
'NETDATA={gamerforever.no-ip.biz:1604}',0Dh,0Ah
'GENCODE={fjQjEnZPzVua}',0Dh,0Ah
'INSTALL={1}',0Dh,0Ah
'COMBOPATH={7}',0Dh,0Ah
'EDTPATH={MSDCSC\msdcsc.exe}',0Dh,0Ah
'KEYNAME={MicroUpdate}',0Dh,0Ah
'EDTDATE={16/04/2015}',0Dh,0Ah
'PERSINST={1}',0Dh,0Ah
'MELT={0}',0Dh,0Ah
'CHANGEDATE={0}',0Dh,0Ah
'DIRATTRIB={6}',0Dh,0Ah
'FILEATTRIB={6}',0Dh,0Ah
'CHIDEF={1}',0Dh,0Ah
'CHIDED={1}',0Dh,0Ah
'PERS={1}',0Dh,0Ah
'OFFLINEK={1}',0Dh,0Ah
'#EOF DARKCOMET DATA --',0
Anybody seen such a encryption/compression scheme?
Thanks.

Regards,
tuxy0
Attachments
(1006.26 KiB) Downloaded 28 times
 Return to “Malware”