A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19760  by Xylitol
 Mon Jun 24, 2013 10:04 am
https://www.virustotal.com/en/file/910a ... 372068131/
Code: Select all
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-0GT9PZS}
SID={Victime}
FWB={0}
NETDATA={durexbanana.no-ip.org:200}
GENCODE={YMrQHmVj2WLc}
INSTALL={1}
COMBOPATH={9}
EDTPATH={java\java.exe}
KEYNAME={MicroUpdate}
EDTDATE={16/04/2007}
PERSINST={0}
MELT={0}
CHANGEDATE={0}
DIRATTRIB={2}
FILEATTRIB={2}
OFFLINEK={1}
#EOF DARKCOMET DATA --
https://www.virustotal.com/en/file/3795 ... 372068190/
Code: Select all
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-6H7XN68}
SID={V10}
FWB={0}
NETDATA={adrif.sivispacemparabellum.com.ru:90}
GENCODE={peCpxfAQmPgg}
OFFLINEK={1}
#EOF DARKCOMET DATA --
Attachments
infected
(676.25 KiB) Downloaded 90 times
 #19862  by Xylitol
 Fri Jun 28, 2013 10:54 pm
https://www.virustotal.com/en/file/8dab ... 372459900/
Code: Select all
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-8Y3BT84}
SID={new}
FWB={0}
NETDATA={updateceb.zapto.org:7642}
GENCODE={7yJLy6pFGD68}
INSTALL={1}
COMBOPATH={7}
EDTPATH={MSDCSC\msdcsc.exe}
KEYNAME={MicroUpdate}
EDTDATE={16/04/2007}
PERSINST={1}
MELT={0}
CHANGEDATE={0}
DIRATTRIB={6}
FILEATTRIB={6}
SH5={1}
CHIDEF={1}
CHIDED={1}
PERS={1}
OFFLINEK={1}
#EOF DARKCOMET DATA --
https://www.virustotal.com/en/file/6fb2 ... 372459969/
Code: Select all
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-2NZB5TU}
SID={Guest1}
FWB={0}
NETDATA={216.212.252.18:1080|anonymousfile.no-ip.biz:1080|anonymousfile.no-ip.biz:200}
GENCODE={vTwqt4Y6rMYY}
INSTALL={1}
COMBOPATH={10}
EDTPATH={MSDCSC\msdcsc.exe}
KEYNAME={MicroUpdate}
EDTDATE={16/04/2007}
PERSINST={1}
MELT={0}
CHANGEDATE={0}
DIRATTRIB={6}
FILEATTRIB={6}
FAKEMSG={1}
MSGTITLE={}
MSGCORE={434F4D504C455445203A33}
MSGICON={0}
SH4={1}
SH6={1}
SH7={1}
SH9={1}
CHIDEF={1}
CHIDED={1}
PERS={1}
OFFLINEK={1}
#EOF DARKCOMET DATA --
Attachments
infected
(1.28 MiB) Downloaded 104 times
 #20226  by thisisu
 Fri Jul 26, 2013 11:25 pm
Infected warez I think:

https://www.virustotal.com/en/file/1bc6 ... 374880346/

Was located here on a customer's Win8 laptop. C:\Program Files\GreenTree Applications\YTD Video Downloader\YTD_Downloader_Patch_c.exe

Keylogged data stored at : %AppData%\dclogs
and those sessions are stored in registry like the below:
Code: Select all
[HKEY_CURRENT_USER\Software\DC3_FEXEC]
"7/26/2013 at 4:18:17 PM"="{847e48a5-d6ef-11e1-af98-806e6f6e6963-4003718027}"
[HKEY_CURRENT_USER\Software\DC3_FEXEC]
"7/26/2013 at 4:21:14 PM"="{847e48a5-d6ef-11e1-af98-806e6f6e6963-4003718027}"
Attachments
ytdpatch.jpg
ytdpatch.jpg (27.53 KiB) Viewed 923 times
pass: infected
(1.06 MiB) Downloaded 110 times
 #20827  by Wack0
 Fri Sep 13, 2013 7:27 pm
markusg wrote:https://www.virustotal.com/file/8d70b8d ... /analysis/
Darkcomet RAT plus the *actual* IW5M launcher in .NET (probably VB.NET due to Microsoft.VisualBasic.dll reference) crypted file.

Decrypts and uses reflection to call in memory a function from a .NET library (A.dll) that does the actual work.

This library (original + ran through de4dot) + both unpacked files included in attached zip.
Attachments
passwd: infected
(495.32 KiB) Downloaded 88 times
 #22152  by Xylitol
 Fri Feb 07, 2014 2:03 am
https://www.virustotal.com/en/file/f5fa ... 391738475/
Code: Select all
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-96SQ42J}
SID={Bot}
FWB={0}
NETDATA={flashezdns.no-ip.org:1500}
GENCODE={Cv3rG4AEulhQ}
OFFLINEK={1}
#EOF DARKCOMET DATA --
IP: 86.68.244.21:1500/TCP - ( 21.244.68.86.rev.sfr.net )
Attachments
infected
(314.35 KiB) Downloaded 87 times
 #26323  by Xylitol
 Sun Jul 19, 2015 4:37 pm
https://translate.google.com/translate? ... retours%2F
https://www.virustotal.com/en/file/39a0 ... 437323712/
Code: Select all
#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-8KD207Y}
SID={Server_01}
FWB={0}
NETDATA={projector123.zapto.org:1606}
GENCODE={QLg3uRtbq5r6}
INSTALL={1}
COMBOPATH={3}
EDTPATH={WINCOMPENENTS\wincomp.exe}
KEYNAME={Windows Compenents}
EDTDATE={16/04/2007}
PERSINST={1}
MELT={1}
CHANGEDATE={1}
DIRATTRIB={6}
FILEATTRIB={6}
FAKEMSG={1}
MSGTITLE={ERREUR}
MSGCORE={4572726F7220696E206C6F6164696E672028436F6465203A20307830303039386529}
MSGICON={16}
SH1={1}
SH3={1}
SH7={1}
CHIDEF={1}
CHIDED={1}
PERS={1}
OFFLINEK={1}
#EOF DARKCOMET DATA --
Files related (Athena botnet) connect to opsannonity2.i234.me who appear to be a Synology NAS.
86.221.66.223 - APoitiers-655-1-322-223.w86-221.abo.wanadoo.fr - FAI: Orange
Attachments
infected
(1.02 MiB) Downloaded 73 times
 #26623  by Linkcabin
 Sun Aug 30, 2015 6:49 pm
Taken from an obvious YouTube spreading scheme.

IP:108.85.128.137
ISP: AT&T U-verse
Key: #KCMDDC51#-
C&C: sss.no-ip.biz:200

Most likely home connection, uses as a TS Server too.

https://www.planetteamspeak.com/serverl ... .137:9987/

Badly Formatted Config, Just straight from dump.
Code: Select all
#BEGIN DARKCOMET DATA --..MUTEX={DC_MUTEX-EDJTTGP}..SID={Guest16}..FWB={0}..NETDATA={sss.no-ip.biz:200}..GENCODE={RrHH19cKVT1G}..INSTALL={1}..COMBOPATH={10}..EDTPATH={MSDCSC\msdcsc.exe}..KEYNAME={system32.dll}..EDTDATE={16/04/2007}..PERSINST={1}..MELT={1}..CHANGEDATE={0}..DIRATTRIB={6}..FILEATTRIB={6}..FAKEMSG={1}..MSGTITLE={Thank you}..MSGCORE={796F752068617665206A75737420696E7374616C6C6564206120737465616D206B65792067656E6F7261746F7221}..MSGICON={64}..SH1={1}..SH5={1}..SH7={1}..SH8={1}..SH9={1}..SH10={1}..CHIDEF={1}..CHIDED={1}..PERS={1}..OFFLINEK={1}..#EOF DARKCOMET DATA --
Attachments
standard pass
(659.17 KiB) Downloaded 57 times
 #26638  by Xylitol
 Tue Sep 01, 2015 12:27 pm