darkcomet | 6cdd8396703edddaf4a0273aaa07ba21b015f94bebc1f9cba18e891dee562637 | Triage

Submit
Reports

Overview

overview

Static

static

6cdd839670...37.exe

windows7_x64

6cdd839670...37.exe

windows10_x64

Sharing

General

Target

6cdd8396703edddaf4a0273aaa07ba21b015f94bebc1f9cba18e891dee562637
Size

385KB
Sample

201111-46dct23hbj
MD5

18bd9d5b34767fee5ff6b1b209c43b88
SHA1

378a9b8ab39c916e908ee5d5e01b685566377aae
SHA256

6cdd8396703edddaf4a0273aaa07ba21b015f94bebc1f9cba18e891dee562637
SHA512

1698105a6b6eb4a65c69f15cd2493eb9108546abdc9f3f65f40004ac03463afa0c05d081b2fc0e927ae5a6b251b18eef94af50b5b1df6f709c741e389a5c4461

Score

10^/10

darkcomet 06-11-2020 evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

6cdd8396703edddaf4a0273aaa07ba21b015f94bebc1f9cba18e891dee562637.exe

Resource

win7v20201028

darkcomet 06-11-2020 evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

6cdd8396703edddaf4a0273aaa07ba21b015f94bebc1f9cba18e891dee562637.exe

Resource

win10v20201028

darkcomet 06-11-2020 evasion persistence rat trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

06-11-2020

C2

LAMIA-41739.portmap.io:41739

karmina113.sytes.net:7777

karmina200.sytes.net:7777

Mutex

DC_MUTEX-R9E2RDG

Attributes

InstallPath
svchost\svchost.exe
gencode
dneJWn9fFTdt
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  6cdd8396703edddaf4a0273aaa07ba21b015f94bebc1f9cba18e891dee562637
- Size
  
  385KB
- MD5
  
  18bd9d5b34767fee5ff6b1b209c43b88
- SHA1
  
  378a9b8ab39c916e908ee5d5e01b685566377aae
- SHA256
  
  6cdd8396703edddaf4a0273aaa07ba21b015f94bebc1f9cba18e891dee562637
- SHA512
  
  1698105a6b6eb4a65c69f15cd2493eb9108546abdc9f3f65f40004ac03463afa0c05d081b2fc0e927ae5a6b251b18eef94af50b5b1df6f709c741e389a5c4461
Score

10^/10

darkcomet 06-11-2020 evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomet06-11-2020evasionpersistencerattrojanupx

behavioral2

darkcomet06-11-2020evasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy