darkcomet

General

Target

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5
Size

762KB
Sample

220520-ptw1qabgb2
MD5

acaedef2c694bd1d58f4cb82ffb6318b
SHA1

316f234a5571b199a7d948f541ad3982536c033a
SHA256

62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5
SHA512

82f718bc54003f0537e7923285ed6d3188e458301f95029d0d273660f643755af5d2654f9acc4f23dd62e8fb15b0e114c308b7cf4dfbd673579f4f1d5b804513

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

×èòåð

C2

62.33.2.50:1111

happycraft.hopto.org:1111

Mutex

DC_MUTEX-1BX3PA1

Attributes

InstallPath
temp\java.exe
gencode
6hPE8cPj7vE4
install
true
offline_keylogger
true
persistence
true
reg_key
java.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

62.33.2.50:2222

Mutex

41aabe8f8c6d7c53ac94c0ce4c6ce249

Attributes

reg_key
41aabe8f8c6d7c53ac94c0ce4c6ce249
splitter
|'|'|

Targets

- Target
  
  62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5
- Size
  
  762KB
- MD5
  
  acaedef2c694bd1d58f4cb82ffb6318b
- SHA1
  
  316f234a5571b199a7d948f541ad3982536c033a
- SHA256
  
  62495c2cfde10b47d1c2cc907822fec4ca4f8b6e51c9216cf1dfdcc454c8a8d5
- SHA512
  
  82f718bc54003f0537e7923285ed6d3188e458301f95029d0d273660f643755af5d2654f9acc4f23dd62e8fb15b0e114c308b7cf4dfbd673579f4f1d5b804513
Score

10^/10

darkcomet njrat quasar hacked ×èòåð evasion persistence rat spyware suricata trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Windows security bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2