darkcomet | a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62 | Triage

Submit
Reports

Overview

overview

Static

static

a0f7c2f2ac...62.exe

windows7_x64

a0f7c2f2ac...62.exe

windows10-2004_x64

Sharing

General

Target

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
Size

252KB
Sample

220521-w68zdabag8
MD5

532a6afb45c841f08a0ff9f104559334
SHA1

2fe9463e271b50907d72174992f4adf5c5c5eace
SHA256

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
SHA512

313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Score

10^/10

darkcomet stepa_po4ta evasion persistence rat trojan upx

Static task

static1

upx stepa_po4ta darkcomet

Behavioral task

behavioral1

Sample

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

Resource

win7-20220414-en

darkcomet evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

Resource

win10v2004-20220414-en

darkcomet evasion persistence rat trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

stepa_po4ta

C2

triplekill.ddns.net:1604

Mutex

DC_MUTEX-Y6BWJ5B

Attributes

InstallPath
MSDCSC\proverka_stiller.exe
gencode
qsGLcJtz3RXp
install
true
offline_keylogger
true
persistence
false
reg_key
Java

Targets

- Target
  
  a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
- Size
  
  252KB
- MD5
  
  532a6afb45c841f08a0ff9f104559334
- SHA1
  
  2fe9463e271b50907d72174992f4adf5c5c5eace
- SHA256
  
  a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
- SHA512
  
  313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4
Score

10^/10

darkcomet evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

upxstepa_po4tadarkcomet

behavioral1

darkcometevasionpersistencerattrojanupx

behavioral2

darkcometevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy