darkcomet | 86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf | Triage

Submit
Reports

Overview

overview

Static

static

86ab6a7f9d...af.exe

windows7_x64

86ab6a7f9d...af.exe

windows10_x64

Sharing

General

Target

86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
Size

2.0MB
Sample

200629-qxzww1x966
MD5

27bfb34bccb3534fb28907887ce2d416
SHA1

735ff286a15378f58adc88eb874602ce40fa9876
SHA256

86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
SHA512

c94302184c872e9d31196020e70ce2234196f94e5c0f8cff035babd40f40a1db05e08bca4efeb7080be8b3985eb8606a3cab82a1e701b73b8a6c685cd1acb3b1

Score

10^/10

darkcomet gudy evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf.exe

Resource

win7

darkcomet gudy evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf.exe

Resource

win10v200430

darkcomet gudy evasion rat trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

GuDy

C2

sysprocess.ddns.net:1605

mila031.ddns.net:1604

Mutex

DC_MUTEX-9JVEVBK

Attributes

InstallPath
chkdsk32.exe
gencode
QAMy2R5hRowG
install
true
offline_keylogger
true
persistence
true
reg_key
SecurityEssentials

Targets

- Target
  
  86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
- Size
  
  2.0MB
- MD5
  
  27bfb34bccb3534fb28907887ce2d416
- SHA1
  
  735ff286a15378f58adc88eb874602ce40fa9876
- SHA256
  
  86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
- SHA512
  
  c94302184c872e9d31196020e70ce2234196f94e5c0f8cff035babd40f40a1db05e08bca4efeb7080be8b3985eb8606a3cab82a1e701b73b8a6c685cd1acb3b1
Score

10^/10

darkcomet gudy evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Program crash
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometgudyevasionpersistencerattrojanupx

behavioral2

darkcometgudyevasionrattrojanupx

© 2018-2024

Terms | Privacy