darkcomet | 9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78 | Triage

Submit
Reports

Overview

overview

Static

static

9a967774e1...78.exe

windows7_x64

9a967774e1...78.exe

windows10-2004_x64

Sharing

General

Target

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
Size

283KB
Sample

220420-ta9vpagcf7
MD5

6bf6d7d7e70cd737716b614f9008417b
SHA1

0c1996ccb192acd5ead43954cc984480fb18d910
SHA256

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
SHA512

6999c3f15f7b1c7231990f24c4dbae31ca9fb4faeddc337edfb5e6644f588ddcc103875d2746b7e3852bded61e8024cf2e5b41c1aef0ce05d5ba711c74474d33

Score

10^/10

darkcomet 1 evasion persistence rat trojan upx

Static task

static1

upx 1 darkcomet

Behavioral task

behavioral1

Sample

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78.exe

Resource

win7-20220414-en

darkcomet evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78.exe

Resource

win10v2004-20220414-en

darkcomet evasion persistence rat trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

1

C2

192.168.0.5:81

192.168.0.5:1604

ilyakon213.hopto.org:1604

ilyakon213.hopto.org:81

Mutex

DC_MUTEX-8W6J4UL

Attributes

InstallPath
system.exe
gencode
YFrPALvfbSE1
install
true
offline_keylogger
true
persistence
true
reg_key
system

Targets

- Target
  
  9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
- Size
  
  283KB
- MD5
  
  6bf6d7d7e70cd737716b614f9008417b
- SHA1
  
  0c1996ccb192acd5ead43954cc984480fb18d910
- SHA256
  
  9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
- SHA512
  
  6999c3f15f7b1c7231990f24c4dbae31ca9fb4faeddc337edfb5e6644f588ddcc103875d2746b7e3852bded61e8024cf2e5b41c1aef0ce05d5ba711c74474d33
Score

10^/10

darkcomet evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometevasionpersistencerattrojanupx

behavioral2

darkcometevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy