darkcomet | 2a17e3086c909b6f21fc681ded7cad0f85c308118691899b181948cb4a11d81c | Triage

Sharing

General

Target

Hile.zip.zip
Size

2.5MB
Sample

210325-n4pawhaqwa
MD5

5bc63ad70a04e62cd8866c07163313eb
SHA1

fb891ff6f5e19e859330d050c861afb5a47cdb08
SHA256

2a17e3086c909b6f21fc681ded7cad0f85c308118691899b181948cb4a11d81c
SHA512

e8b884895b07291d644adcc66408c8bbc6d213b07db5ecaa6e16221b8e2082b674b0ce30f531ade1a92ef1fe5053c7170d0c64ab4a484cdeda8cd9039d82274d

Score

10^/10

darkcomet guest16 bootkit persistence ransomware rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

olmayanoc.duckdns.org:1604

Mutex

DC_MUTEX-CWXJ2HG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uEE4dQifbptz
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  Wolfteam/Hack.exe
- Size
  
  847KB
- MD5
  
  1d5349887bf319b3883a8e84797f2f0f
- SHA1
  
  3dd4311bdaee5164f1d4e4b3183fea9262a0a721
- SHA256
  
  a2aacc0b545223c09ebf8540450cd436d1fe4274b10660c4cb90b2dd35727a39
- SHA512
  
  e9faf7ad9998c6d0c9831eca28ad4822140d0b55dcb28974101a2b8e8a1fb0ef3a9f9aacc1f797440316a10dd3b03c6a13b4276b113d55689ce66825bc470680
Score

10^/10

darkcomet guest16 persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Wolfteam/SpeedTreeRT.dll
- Size
  
  1.7MB
- MD5
  
  1ac3d612389fa679f5ca3c6bab855145
- SHA1
  
  2f4f279d0c99c112db1adee5a3c324d0355fcbf5
- SHA256
  
  ddba9b9b427d541ebc0bf1221fffc5d56a85d7b8ee0dfe6370a83a133da6967b
- SHA512
  
  847376db96f3a3c1ab844fbf066f4e0e05b203769d7ca04fdf2463e86fc99ea1589054d1cc10ff70e45a5fb82a9e103edc2aa17b76cd94497cd49fedb6e06788
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral3 behavioral4
- Target
  
  Wolfteam/api_ms_win_core_interlocked_l1_1_0.dll
- Size
  
  19KB
- MD5
  
  aebb266ad5e92fdfabb4b21ce973ff51
- SHA1
  
  018a5ebf9dc68cfe243d6ab2a2ec6f9371804110
- SHA256
  
  7e58e8c6140bb8108e284b364261842a5fd19fa37c30e5dd3501669d8fd5108a
- SHA512
  
  d9fe0a673128bcb289ffb5f7799afb79e642997acb7ca3a3cfd165b9dd029ce40d98e7659eaa94cef39964d3d89af3bd1d44a220c246d73f08ba9642ec0b06d9
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral5 behavioral6
- Target
  
  Wolfteam/api_ms_win_core_synch_l1_1_0.dll
- Size
  
  20KB
- MD5
  
  981a70962828df80f65c822196daac8d
- SHA1
  
  1e9bc0925b963860c0755564f74b3fadb242f4eb
- SHA256
  
  d664f63c82b14e4d1cc52a1e6d0477b0ed9f333a12935e4e4ae2c223ca9d5437
- SHA512
  
  7222b99805e09069a7045818629eeac43119b8c1fe0a10cf4b840895f10187d14d7a253ca869edb9d03d54fd326d28c1aa0514cd3ec5d9661b71600b69173b3e
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral7 behavioral8
- Target
  
  Wolfteam/api_ms_win_core_timezone_l1_1_0.dll
- Size
  
  18KB
- MD5
  
  fbfd4e793c857621f39f072eda5090df
- SHA1
  
  a58fc3833c54916b1f5bdf7a795782a3fd9350d2
- SHA256
  
  a64bc428270acd0abe920239d79930dd0bff1e800adf4d746e55d86d59edac25
- SHA512
  
  851e0f35cf4f2cd4b35c106e0cd1911b26116aa96592ce9cf788355ed17f72cf5e1c0833435bf1528300b8440e049b652391c13202721cdafa4b01c47461ec3b
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral9 behavioral10
- Target
  
  Wolfteam/api_ms_win_crt_locale_l1_1_0.dll
- Size
  
  19KB
- MD5
  
  04e1358a7b9b4a90e9389bd669200e78
- SHA1
  
  314a23566764b0bf6e5e4f1d012595d6866d6418
- SHA256
  
  116f2ba1a53995feed6eecbe79452a0eb454e46d47f6253a756db662058bf473
- SHA512
  
  4ad23c8ff7ef26b7fb835943216f23ba0f2bfde4e2f7eae98926cfbaccd5574cc624b3f4b8203d682e724fd7b3593f0f318c49cb9ed153dc7ba1f92acfb7045f
Score

1^/10
behavioral11 behavioral12
- Target
  
  Wolfteam/python27.dll
- Size
  
  2.4MB
- MD5
  
  da8b71b282bb2c3e0ac3e0465e592e5d
- SHA1
  
  f3eaa7956a42dd65dc008d5621263ae4155eb204
- SHA256
  
  6c771faf75ac68d28f83509fc113288035978122dc49de8936d9011e0a9b20ab
- SHA512
  
  aa5c9c305b7d01eed4ed90afde0e4964071279ba64d0c5fa5743c70ecc039a841e437c6f850b5fdd770e61907aa55a98643545b1615829d4e420aac3eb133663
Score

8^/10

bootkit ransomware
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
behavioral13 behavioral14

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16persistencerattrojan

behavioral2

darkcometguest16persistencerattrojan

behavioral3

behavioral4

bootkitransomware

behavioral5

behavioral6

bootkitransomware

behavioral7

behavioral8

bootkitransomware

behavioral9

behavioral10

bootkitransomware

behavioral11

behavioral12

behavioral13

behavioral14

bootkitransomware