darkcomet | a70e2b46ebb363cb0c07bbac058096b337510dc6cfd3bebd7c8ba2c2965b948b | Triage

Sharing

General

Target

a70e2b46ebb363cb0c07bbac058096b337510dc6cfd3bebd7c8ba2c2965b948b
Size

690KB
Sample

210517-1ypkc17q1x
MD5

27593b60c26da879d8e0f6c5ce8b3c3c
SHA1

e050280ed8225f06c61f11b22ee9bdc32aac2777
SHA256

a70e2b46ebb363cb0c07bbac058096b337510dc6cfd3bebd7c8ba2c2965b948b
SHA512

17d74c7b47bfad005a6726388509fb996d126a721d20d43d61a550261f57942dcc2e74bbad78e96e0a83ebacd92eac1160f720b82630b30d16e5b438a35589ee

Score

10^/10

darkcomet pb+rp persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

PB+RP

C2

react1on.no-ip.biz:1004

Mutex

DC_MUTEX-9Z9HPRZ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
bfAgAtl5pkim
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  a70e2b46ebb363cb0c07bbac058096b337510dc6cfd3bebd7c8ba2c2965b948b
- Size
  
  690KB
- MD5
  
  27593b60c26da879d8e0f6c5ce8b3c3c
- SHA1
  
  e050280ed8225f06c61f11b22ee9bdc32aac2777
- SHA256
  
  a70e2b46ebb363cb0c07bbac058096b337510dc6cfd3bebd7c8ba2c2965b948b
- SHA512
  
  17d74c7b47bfad005a6726388509fb996d126a721d20d43d61a550261f57942dcc2e74bbad78e96e0a83ebacd92eac1160f720b82630b30d16e5b438a35589ee
Score

10^/10

darkcomet pb+rp persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometpb+rppersistencerattrojan

behavioral2

darkcometpb+rppersistencerattrojan