darkcomet | 996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a | Triage

Submit
Reports

Overview

overview

Static

static

996d745b09...5a.exe

windows7_x64

996d745b09...5a.exe

windows10-2004_x64

Sharing

General

Target

996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a
Size

1.2MB
Sample

220520-d9yzgabadn
MD5

da81c76543b3f280abfaf1c04a820c8d
SHA1

e746372c52ab53a7dcded6ffd497f10d3b84bda9
SHA256

996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a
SHA512

8fe78aee184022b8a15646d1a847aed29e3bf463599d5b8b517a321cc876f53ebb170b03ccdddb2032a6ab420956bfd233c489e954044a93a4c7995ed41b3346

Score

10^/10

darkcomet 1 evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a.exe

Resource

win7-20220414-en

darkcomet 1 evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a.exe

Resource

win10v2004-20220414-en

darkcomet 1 evasion persistence rat trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

1

C2

sadist.ddns.net:500

Mutex

DC_MUTEX-WDGJLC3

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
bg0tFwB3BTiD
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a
- Size
  
  1.2MB
- MD5
  
  da81c76543b3f280abfaf1c04a820c8d
- SHA1
  
  e746372c52ab53a7dcded6ffd497f10d3b84bda9
- SHA256
  
  996d745b0948add2ef943870d637afb46d4463432df4cb766509ecaa1982a35a
- SHA512
  
  8fe78aee184022b8a15646d1a847aed29e3bf463599d5b8b517a321cc876f53ebb170b03ccdddb2032a6ab420956bfd233c489e954044a93a4c7995ed41b3346
Score

10^/10

darkcomet 1 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomet1evasionpersistencerattrojan

behavioral2

darkcomet1evasionpersistencerattrojan

© 2018-2024

Terms | Privacy