darkcomet | d64c2da29df9186c58c5fceb4b2f1dca1c3360c74a342f4a61227e9a97a79d0f | Triage

Submit
Reports

Overview

overview

Static

static

dropmefile...re.exe

windows10_x64

Sharing

General

Target

dropmefiles.top_Nixware.exe
Size

756KB
Sample

210731-78c4ps4dc6
MD5

a599feb72860abcb8bd95d29aa7424b9
SHA1

9e1ded3db1863e13f6f9a443b3096567cf4108b3
SHA256

d64c2da29df9186c58c5fceb4b2f1dca1c3360c74a342f4a61227e9a97a79d0f
SHA512

40ae7c2516ba1ade6b42eefbbfd9552ae7c42921eb680e7abc001d86bbbebbe3258357b678c7ca2e4ae9ec21dc8fb54dfdc4d9d96728a1e24d78c1be8fd57a67

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Static task

static1

guest16 darkcomet

Behavioral task

behavioral1

Sample

dropmefiles.top_Nixware.exe

Resource

win10v20210410

darkcomet guest16 evasion persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

teposs.ddns.net:7764

Mutex

DC_MUTEX-T8TS3MS

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
u2B4xQoge2Z5
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  dropmefiles.top_Nixware.exe
- Size
  
  756KB
- MD5
  
  a599feb72860abcb8bd95d29aa7424b9
- SHA1
  
  9e1ded3db1863e13f6f9a443b3096567cf4108b3
- SHA256
  
  d64c2da29df9186c58c5fceb4b2f1dca1c3360c74a342f4a61227e9a97a79d0f
- SHA512
  
  40ae7c2516ba1ade6b42eefbbfd9552ae7c42921eb680e7abc001d86bbbebbe3258357b678c7ca2e4ae9ec21dc8fb54dfdc4d9d96728a1e24d78c1be8fd57a67
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojan

© 2018-2024

Terms | Privacy