darkcomet | 3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1 | Triage

Submit
Reports

Overview

overview

Static

static

5

SBHJYT.exe

windows7_x64

SBHJYT.exe

windows10_x64

Sharing

General

Target

SBHJYT.exe
Size

13.9MB
Sample

210814-74xqhqeafx
MD5

20799f295c5b0e5aa27b5896b230b57a
SHA1

e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
SHA256

3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
SHA512

70cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

SBHJYT.exe

Resource

win7v20210408

darkcomet guest16 evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

SBHJYT.exe

Resource

win10v20210410

darkcomet guest16 evasion persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

onlinebonjour1pt.ddns.net:1605

Mutex

DC_MUTEX-K9JEE5J

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
PPlJGVizdNKt
install
true
offline_keylogger
true
persistence
true
reg_key
Microdaptxx

Targets

- Target
  
  SBHJYT.exe
- Size
  
  13.9MB
- MD5
  
  20799f295c5b0e5aa27b5896b230b57a
- SHA1
  
  e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
- SHA256
  
  3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
- SHA512
  
  70cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- autoit_exe
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan

© 2018-2024

Terms | Privacy