92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

Target

Size

254KB

Sample

220521-xyzleacge9

Score

10 ^/10

MD5

175f2d9aebc4ac568a483a86af5e2188

SHA1

1883c73576b01e32c59643f00730906058795175

SHA256

92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

SHA512

c1801bccb90550511c23524f01278232bed5e03a6e65b01c5d90d683830083d155a035efe1e5c6b64268f594d64b0d0a064a4eb2e5ec1b0fa9f53f517395ee15

Extracted

Family	darkcomet
Botnet	People
C2	radeiaor111.hopto.org:1604 radeiaor111.hopto.org:1604
Attributes	InstallPath app\update.exe gencode JRjs4z5EKcwD install true offline_keylogger true persistence true reg_key MicroUpdate

Target

92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

MD5

175f2d9aebc4ac568a483a86af5e2188

Filesize

254KB

Score

10^/10

SHA1

1883c73576b01e32c59643f00730906058795175

SHA256

92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3

SHA512

c1801bccb90550511c23524f01278232bed5e03a6e65b01c5d90d683830083d155a035efe1e5c6b64268f594d64b0d0a064a4eb2e5ec1b0fa9f53f517395ee15

Signatures

Darkcomet
Description

DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
Tags

trojan rat darkcomet
Modifies WinLogon for persistence
Tags

persistence

TTPs

Winlogon Helper DLLModify Registry
Modifies security service
Tags

evasion

TTPs

Modify RegistryModify Existing Service
Windows security bypass
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
Disables RegEdit via registry modification
Tags

evasion
Executes dropped EXE
Sets file to hidden
Description

Modifies file attributes to stop it showing in Explorer etc.
Tags

evasion

TTPs

Hidden Files and Directories
UPX packed file
Description

Detects executables packed with UPX/modified UPX open source packer.
Tags

upx
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Deletes itself
Loads dropped DLL
Windows security modification
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

upx people darkcomet

10^/10

behavioral1

darkcomet evasion persistence rat trojan upx

10^/10

behavioral2

darkcomet evasion persistence rat trojan upx

10^/10

Extracted

Tags

Signatures

Darkcomet

Description

Tags

Modifies WinLogon for persistence

Tags

TTPs

Modifies security service

Tags

TTPs

Windows security bypass

Tags

TTPs

Disables RegEdit via registry modification

Tags

Executes dropped EXE

Sets file to hidden

Description

Tags

TTPs

UPX packed file

Description

Tags

Checks computer location settings

Description

TTPs

Deletes itself

Loads dropped DLL

Windows security modification

Tags

TTPs

Adds Run key to start application

Tags

TTPs

Related Tasks

static1

behavioral1

behavioral2