darkcomet | 78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398 | Triage

Sharing

General

Target

78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398
Size

1.5MB
Sample

200629-jjdlydfl4j
MD5

edb8b19beede18b21ec7ebc847271fd1
SHA1

8ec1c660059fc6a0571782fe17ed30787055b278
SHA256

78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398
SHA512

88197dc5f5480378481f0fc8165c051dc87148176fcae89a9367eaf004506d82755596f89c0d6fecbea5005301514caf507c1145edd9b657192258d10804e5c3

Score

10^/10

darkcomet sazan persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

ya123131.duckdns.org:1604

Mutex

DC_MUTEX-LYRTGU5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
m1B9veJm8Qlx
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398
- Size
  
  1.5MB
- MD5
  
  edb8b19beede18b21ec7ebc847271fd1
- SHA1
  
  8ec1c660059fc6a0571782fe17ed30787055b278
- SHA256
  
  78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398
- SHA512
  
  88197dc5f5480378481f0fc8165c051dc87148176fcae89a9367eaf004506d82755596f89c0d6fecbea5005301514caf507c1145edd9b657192258d10804e5c3
Score

10^/10

darkcomet sazan persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometsazanpersistencerattrojan

behavioral2