Description
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
General
Target
Size
Sample
9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
283KB
220420-ta9vpagcf7
Score
10/10
MD5
SHA1
SHA256
SHA512
6bf6d7d7e70cd737716b614f9008417b
0c1996ccb192acd5ead43954cc984480fb18d910
9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
6999c3f15f7b1c7231990f24c4dbae31ca9fb4faeddc337edfb5e6644f588ddcc103875d2746b7e3852bded61e8024cf2e5b41c1aef0ce05d5ba711c74474d33
Malware Config
Extracted
| Family | darkcomet |
| Botnet | 1 |
| C2 |
192.168.0.5:81 192.168.0.5:1604 ilyakon213.hopto.org:1604 ilyakon213.hopto.org:81 |
| Attributes |
InstallPath system.exe
gencode YFrPALvfbSE1
install true
offline_keylogger true
persistence true
reg_key system |
Targets
Target
MD5
Filesize
9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
6bf6d7d7e70cd737716b614f9008417b
283KB
Score
10/10
SHA1
SHA256
SHA512
0c1996ccb192acd5ead43954cc984480fb18d910
9a967774e134d423ea04e8079d5236c8363422de1bd4e3e066168df9ccd54e78
6999c3f15f7b1c7231990f24c4dbae31ca9fb4faeddc337edfb5e6644f588ddcc103875d2746b7e3852bded61e8024cf2e5b41c1aef0ce05d5ba711c74474d33
Tags
Signatures
-
Darkcomet
-
Modifies WinLogon for persistence
Tags
TTPs
-
Executes dropped EXE
-
Sets file to hidden
Description
Modifies file attributes to stop it showing in Explorer etc.
Tags
TTPs
-
UPX packed file
Description
Detects executables packed with UPX/modified UPX open source packer.
Tags
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
Tags
TTPs
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation
Tasks
static1
Score
10/10
behavioral1
Score
10/10
behavioral2
Score
10/10