darkcomet | d020b049313ec9b24c829f81a315cac63f00000a22ff60e5f433ef0a1ad589b9 | Triage

Submit
Reports

Overview

overview

Static

static

d020b04931...b9.exe

windows7_x64

d020b04931...b9.exe

windows10-2004_x64

Sharing

General

Target

d020b049313ec9b24c829f81a315cac63f00000a22ff60e5f433ef0a1ad589b9
Size

3.5MB
Sample

220502-se18nsaadj
MD5

8143e4662e68907b624633013fff7ca3
SHA1

9a0fc7a71a26289e37298ff5a297bdb11b976e0f
SHA256

d020b049313ec9b24c829f81a315cac63f00000a22ff60e5f433ef0a1ad589b9
SHA512

cb0d55a9cfe65953471d3368122b3f590bb553bff7d92b3ce2802b75227de1d419dfab83ab6f7bdcf9fba0995ad3cd43fbea7c4bd2c4fcf44fadacf3cc4657cd

Score

10^/10

darkcomet 2020nov1 evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

d020b049313ec9b24c829f81a315cac63f00000a22ff60e5f433ef0a1ad589b9.exe

Resource

win7-20220414-en

darkcomet 2020nov1 persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

d020b049313ec9b24c829f81a315cac63f00000a22ff60e5f433ef0a1ad589b9.exe

Resource

win10v2004-20220414-en

darkcomet 2020nov1 evasion persistence rat trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

2020NOV1

C2

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes

InstallPath
excelsl.exe
gencode
n7asq0Dbu7D2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
office

Targets

- Target
  
  d020b049313ec9b24c829f81a315cac63f00000a22ff60e5f433ef0a1ad589b9
- Size
  
  3.5MB
- MD5
  
  8143e4662e68907b624633013fff7ca3
- SHA1
  
  9a0fc7a71a26289e37298ff5a297bdb11b976e0f
- SHA256
  
  d020b049313ec9b24c829f81a315cac63f00000a22ff60e5f433ef0a1ad589b9
- SHA512
  
  cb0d55a9cfe65953471d3368122b3f590bb553bff7d92b3ce2802b75227de1d419dfab83ab6f7bdcf9fba0995ad3cd43fbea7c4bd2c4fcf44fadacf3cc4657cd
Score

10^/10

darkcomet 2020nov1 persistence rat trojan evasion
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomet2020nov1persistencerattrojan

behavioral2

darkcomet2020nov1evasionpersistencerattrojan

© 2018-2024

Terms | Privacy