darkcomet | ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a | Triage

Submit
Reports

Overview

overview

Static

static

ab6ba5bec5...5a.exe

windows7_x64

8

ab6ba5bec5...5a.exe

windows10-2004_x64

Sharing

General

Target

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a
Size

3.8MB
Sample

220502-w9ejyadbh9
MD5

57f9d1882f4bf9a35c66a3c7e541a174
SHA1

6c26537c0b251371c9e888f157f24017a00057eb
SHA256

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a
SHA512

e76e92e95629581bc2ee0bafb4057446402c5ba72b2e2013a85c2109166412d07a2657815aeff13ee4e6f932016b6e32a7bdd5444bf560814b1c49a08877661f

Score

10^/10

darkcomet 2020nov1 2020nov11 evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a.exe

Resource

win10v2004-20220414-en

darkcomet 2020nov1 2020nov11 evasion persistence rat trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

2020NOV11

C2

sandyclark255.hopto.org:1605

Mutex

DC_MUTEX-C010SK7

Attributes

gencode
cFXCTt13CuYM
install
false
offline_keylogger
true
password
hhhhhh
persistence
false

Extracted

Family

darkcomet

Botnet

2020NOV1

C2

sandyclark255.hopto.org:35887

Mutex

DC_MUTEX-6XT818D

Attributes

InstallPath
excelsl.exe
gencode
n7asq0Dbu7D2
install
true
offline_keylogger
true
password
hhhhhh
persistence
true
reg_key
office

Targets

- Target
  
  ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a
- Size
  
  3.8MB
- MD5
  
  57f9d1882f4bf9a35c66a3c7e541a174
- SHA1
  
  6c26537c0b251371c9e888f157f24017a00057eb
- SHA256
  
  ab6ba5bec568e340061bb8dde6c3342bf5fcb21b3d96badccabb252b77a9195a
- SHA512
  
  e76e92e95629581bc2ee0bafb4057446402c5ba72b2e2013a85c2109166412d07a2657815aeff13ee4e6f932016b6e32a7bdd5444bf560814b1c49a08877661f
Score

10^/10

darkcomet 2020nov1 2020nov11 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

darkcomet2020nov12020nov11evasionpersistencerattrojan

© 2018-2024

Terms | Privacy