darkcomet | cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72 | Triage

Submit
Reports

Overview

overview

Static

static

cfa850db87...72.exe

windows7_x64

cfa850db87...72.exe

windows10_x64

Sharing

General

Target

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72
Size

1.3MB
Sample

210908-hfcatshbdq
MD5

50889863763dec84072482d72d257a5a
SHA1

ee585ed89df214b743ceb8fe2cf85999e6013806
SHA256

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72
SHA512

4fb2c1a727d4b703e0e88eef85b4d57f181f9a0658219e493f3a3435c98defb0dc845c3d07b5be1d0bac5357f3e2a5b03e38b696fa846e8e17b4fc50f5c5d5eb

Score

10^/10

darkcomet m2 evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe

Resource

win7v20210408

darkcomet m2 evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72.exe

Resource

win10-en

darkcomet m2 evasion persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

m2

C2

127.0.0.1:1604

laylaylom15975300.freeddns.org:1604

Mutex

DC_MUTEX-J1SBQ5X

Attributes

InstallPath
MSDCSC\iexplorer.exe
gencode
bTMSQkMKM11U
install
true
offline_keylogger
true
persistence
true
reg_key
Windows Defender

Targets

- Target
  
  cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72
- Size
  
  1.3MB
- MD5
  
  50889863763dec84072482d72d257a5a
- SHA1
  
  ee585ed89df214b743ceb8fe2cf85999e6013806
- SHA256
  
  cfa850db87d98eed49dec543a7977ef9221dc62bd48c7aaaaafe1327c864aa72
- SHA512
  
  4fb2c1a727d4b703e0e88eef85b4d57f181f9a0658219e493f3a3435c98defb0dc845c3d07b5be1d0bac5357f3e2a5b03e38b696fa846e8e17b4fc50f5c5d5eb
Score

10^/10

darkcomet m2 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometm2evasionpersistencerattrojan

behavioral2

darkcometm2evasionpersistencerattrojan

© 2018-2024

Terms | Privacy