darkcomet | 4b25575a20e1c416d898cd3e38281e16a9eec5be5dbd8ea4bbcfc3c84332c93b | Triage

Sharing

General

Target

4b25575a20e1c416d898cd3e38281e16a9eec5be5dbd8ea4bbcfc3c84332c93b
Size

382KB
Sample

220712-my1tcshga7
MD5

1727e622a856a6b90046baa9d95115cf
SHA1

38b574ee6d360c80379eb87dd2d7bf4096bc80d3
SHA256

4b25575a20e1c416d898cd3e38281e16a9eec5be5dbd8ea4bbcfc3c84332c93b
SHA512

4424507c010b5fad35ac67ff453e2ec81d2e2995debb7118c0801f13b16c81e0ea0ecc0bd00c471e16f670a61c3fe9fdcf25e667c4615b0dccfe627913c3d924

Score

10^/10

darkcomet jdb persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

JDB

C2

runescape6.no-ip.org:1604

Mutex

DC_MUTEX-TC2MWWW

Attributes

gencode
n72E9o3YwQwo
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  4b25575a20e1c416d898cd3e38281e16a9eec5be5dbd8ea4bbcfc3c84332c93b
- Size
  
  382KB
- MD5
  
  1727e622a856a6b90046baa9d95115cf
- SHA1
  
  38b574ee6d360c80379eb87dd2d7bf4096bc80d3
- SHA256
  
  4b25575a20e1c416d898cd3e38281e16a9eec5be5dbd8ea4bbcfc3c84332c93b
- SHA512
  
  4424507c010b5fad35ac67ff453e2ec81d2e2995debb7118c0801f13b16c81e0ea0ecc0bd00c471e16f670a61c3fe9fdcf25e667c4615b0dccfe627913c3d924
Score

10^/10

darkcomet jdb persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometjdbpersistencerattrojan

behavioral2

darkcometjdbpersistencerattrojan