darkcomet | bdca22b50a716ac1106fce8eb7fbb0df989bbf381329e952d16be68dc01c6477 | Triage

Submit
Reports

Overview

overview

Static

static

8

417dd0fc26...48.exe

windows7_x64

417dd0fc26...48.exe

windows10_x64

Sharing

General

Target

417dd0fc267b52a099e6d21e2f587448
Size

252KB
Sample

201117-ff5v78ch1x
MD5

d87a0b6ff3b80619eff6a91dcbbc92f2
SHA1

2bd496d9718547ba4ff87aab82ef78e7d020b586
SHA256

bdca22b50a716ac1106fce8eb7fbb0df989bbf381329e952d16be68dc01c6477
SHA512

da4d7b6ddb9ac15f82ed0e9452e4e90e474c3b22a2b4eb859f3e34033676d1e6e117278a1c65a22ba27a3ba4199c8b5334b8d036d139a3e5071f917c8026df1e

Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

417dd0fc267b52a099e6d21e2f587448.exe

Resource

win7v20201028

darkcomet guest16 evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

417dd0fc267b52a099e6d21e2f587448.exe

Resource

win10v20201028

darkcomet guest16 evasion persistence rat trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

batchlove.hopto.org:1605

Mutex

DC_MUTEX-Y0UZCZQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KmnWlesUz91w
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  417dd0fc267b52a099e6d21e2f587448
- Size
  
  252KB
- MD5
  
  d87a0b6ff3b80619eff6a91dcbbc92f2
- SHA1
  
  2bd496d9718547ba4ff87aab82ef78e7d020b586
- SHA256
  
  bdca22b50a716ac1106fce8eb7fbb0df989bbf381329e952d16be68dc01c6477
- SHA512
  
  da4d7b6ddb9ac15f82ed0e9452e4e90e474c3b22a2b4eb859f3e34033676d1e6e117278a1c65a22ba27a3ba4199c8b5334b8d036d139a3e5071f917c8026df1e
Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojanupx

behavioral2

darkcometguest16evasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy