darkcomet | 3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d | Triage

Submit
Reports

Overview

overview

Static

static

3b93bbc5e1...7d.exe

windows7_x64

3b93bbc5e1...7d.exe

windows10_x64

Sharing

General

Target

3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
Size

557KB
Sample

201108-7kfq9tbk4j
MD5

316ced1fc09909dff0b75efbd0da2ae0
SHA1

2d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
SHA256

3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
SHA512

fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad

Score

10^/10

darkcomet 2020okt999+++4 evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe

Resource

win7v20201028

darkcomet 2020okt999+++4 evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe

Resource

win10v20201028

darkcomet 2020okt999+++4 persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

2020okt999+++4

C2

sandyclark255.hopto.org:1605

Mutex

DC_MUTEX-D50H81E

Attributes

InstallPath
word64l.exe
gencode
0zgSCfjSH24W
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
winworde

Targets

- Target
  
  3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
- Size
  
  557KB
- MD5
  
  316ced1fc09909dff0b75efbd0da2ae0
- SHA1
  
  2d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
- SHA256
  
  3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
- SHA512
  
  fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
Score

10^/10

darkcomet 2020okt999+++4 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomet2020okt999+++4evasionpersistencerattrojan

behavioral2

darkcomet2020okt999+++4persistencerattrojan

© 2018-2024

Terms | Privacy