darkcomet | 136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f | Triage

Sharing

General

Target

Payment 831.exe
Size

2.1MB
Sample

210404-8sd2rmtbdn
MD5

90f1582eb4aa8c5db832919e5e475fc5
SHA1

bbc4d5e90346af2ec03f7ec4af33a728108818a3
SHA256

136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
SHA512

37cd15caa53b047036334cf5b19ffaf7fc94aa32d4dc8648c2fe0c1bd623e332f70778b2bb59c3aeaf0f6ba5cae6fa1c1a360780e1c7d29e4be4a4d9ab459b43

Score

10^/10

darkcomet april 2021 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

April 2021

C2

bonding79.ddns.net:3316

goodgt79.ddns.net:3316

whatis79.ddns.net:3316

smath79.ddns.net:3316

jacknop79.ddns.net:3316

chrisle79.ddns.net:3316

Mutex

DC_MUTEX-L1TFBNC

Attributes

gencode
PvcfTTVpBSKd
install
false
offline_keylogger
true
password
Password20$
persistence
false

Targets

- Target
  
  Payment 831.exe
- Size
  
  2.1MB
- MD5
  
  90f1582eb4aa8c5db832919e5e475fc5
- SHA1
  
  bbc4d5e90346af2ec03f7ec4af33a728108818a3
- SHA256
  
  136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
- SHA512
  
  37cd15caa53b047036334cf5b19ffaf7fc94aa32d4dc8648c2fe0c1bd623e332f70778b2bb59c3aeaf0f6ba5cae6fa1c1a360780e1c7d29e4be4a4d9ab459b43
Score

10^/10

darkcomet april 2021 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometapril 2021evasionpersistencerattrojan

behavioral2

darkcometapril 2021evasionpersistencerattrojan