darkcomet | 501b06bbbdfc13d8f7ab54a5e43e41845df54c2977d658812d0eb490b6479dc6 | Triage

Submit
Reports

Overview

overview

Static

static

501b06bbbd...c6.exe

windows7_x64

501b06bbbd...c6.exe

windows10-2004_x64

Sharing

General

Target

501b06bbbdfc13d8f7ab54a5e43e41845df54c2977d658812d0eb490b6479dc6
Size

283KB
Sample

220520-wfq1waebdl
MD5

a41eb80d74c75775d8ab172cdb96021a
SHA1

b941643497f1e9f077403da572192bea7544ef67
SHA256

501b06bbbdfc13d8f7ab54a5e43e41845df54c2977d658812d0eb490b6479dc6
SHA512

eea16e51b0abc8a93dc9e4d9339dd860529a48d902458752e8b19e98566ca325669db9dab1d8a35d8b9473b633138591da57de3a66bf38efc637c0064ca0070f

Score

10^/10

darkcomet jdominwars evasion persistence rat trojan upx

Static task

static1

upx jdominwars darkcomet

Behavioral task

behavioral1

Sample

501b06bbbdfc13d8f7ab54a5e43e41845df54c2977d658812d0eb490b6479dc6.exe

Resource

win7-20220414-en

darkcomet evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

501b06bbbdfc13d8f7ab54a5e43e41845df54c2977d658812d0eb490b6479dc6.exe

Resource

win10v2004-20220414-en

darkcomet evasion persistence rat trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

jdominwars

C2

ovosh9999.ddns.net:1604

Mutex

DC_MUTEX-XZYDV4B

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
3aNjt0rawfS4
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  501b06bbbdfc13d8f7ab54a5e43e41845df54c2977d658812d0eb490b6479dc6
- Size
  
  283KB
- MD5
  
  a41eb80d74c75775d8ab172cdb96021a
- SHA1
  
  b941643497f1e9f077403da572192bea7544ef67
- SHA256
  
  501b06bbbdfc13d8f7ab54a5e43e41845df54c2977d658812d0eb490b6479dc6
- SHA512
  
  eea16e51b0abc8a93dc9e4d9339dd860529a48d902458752e8b19e98566ca325669db9dab1d8a35d8b9473b633138591da57de3a66bf38efc637c0064ca0070f
Score

10^/10

darkcomet evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

upxjdominwarsdarkcomet

behavioral1

darkcometevasionpersistencerattrojanupx

behavioral2

darkcometevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy