darkcomet | 64f87a54df363755339567ae103af89b64be18546b14b22b93610e0080c3793d | Triage

Submit
Reports

Overview

overview

Static

static

5

GHLDRO.exe

windows7_x64

GHLDRO.exe

windows10_x64

Sharing

General

Target

GHLDRO.exe
Size

13.7MB
Sample

210806-k4l28kehks
MD5

a8f3f22dda294b02f410ca95116a23bf
SHA1

413062e5f6a7ec6c23cb56fbb68c8984855e8a58
SHA256

64f87a54df363755339567ae103af89b64be18546b14b22b93610e0080c3793d
SHA512

a75fc1269444e2aff46a7901da89fd56b17120c56e4c7f89147a673e312dcc09366c9f16d3b4082f27a19a6f6aeed420c07112a5cbd04f8cd53d9792bb2ea711

Score

10^/10

darkcomet guest16 evasion persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

GHLDRO.exe

Resource

win7v20210408

darkcomet guest16 evasion persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

GHLDRO.exe

Resource

win10v20210410

darkcomet guest16 evasion persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

onlinebonjour1pt.ddns.net:1605

Mutex

DC_MUTEX-XJRH105

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
7qC8eTvgaGxs
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdapt

Targets

- Target
  
  GHLDRO.exe
- Size
  
  13.7MB
- MD5
  
  a8f3f22dda294b02f410ca95116a23bf
- SHA1
  
  413062e5f6a7ec6c23cb56fbb68c8984855e8a58
- SHA256
  
  64f87a54df363755339567ae103af89b64be18546b14b22b93610e0080c3793d
- SHA512
  
  a75fc1269444e2aff46a7901da89fd56b17120c56e4c7f89147a673e312dcc09366c9f16d3b4082f27a19a6f6aeed420c07112a5cbd04f8cd53d9792bb2ea711
Score

10^/10

darkcomet guest16 evasion persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- autoit_exe
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometguest16evasionpersistenceratspywarestealertrojan

behavioral2

darkcometguest16evasionpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy