darkcomet | ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c | Triage

Sharing

General

Target

ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c
Size

1.2MB
Sample

220919-dhp79adea7
MD5

33fdbcf3a82778a8ea00249107bc8fe5
SHA1

202fa6601456532d10ffe3060d5a7ad92b53c072
SHA256

ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c
SHA512

0ec581b76f5a7ba20ccdabdda7ab4a4df79e4e99bbf7c6b60118965b271025a1d2c9ed57661cdc7fdbcd05f1a4e83d3e64444b18bbe312460b5f1168f8ab624a
SSDEEP

12288:lMEybYDzia5HqVG2Xc9cRYBfoozHwC1qgdB/Cfv2XyTkKORtRWAsENB0GSEMkN91:C9XHR0Q4/CGXyTn7AsENBprMMNvX5

Score

10^/10

darkcomet zombie evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Zombie

C2

anonymous-hr.zapto.org:5150

127.0.0.1:5150

Mutex

DC_MUTEX-A7UL2P5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
5dY8i3S9M0Ys
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c
- Size
  
  1.2MB
- MD5
  
  33fdbcf3a82778a8ea00249107bc8fe5
- SHA1
  
  202fa6601456532d10ffe3060d5a7ad92b53c072
- SHA256
  
  ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c
- SHA512
  
  0ec581b76f5a7ba20ccdabdda7ab4a4df79e4e99bbf7c6b60118965b271025a1d2c9ed57661cdc7fdbcd05f1a4e83d3e64444b18bbe312460b5f1168f8ab624a
- SSDEEP
  
  12288:lMEybYDzia5HqVG2Xc9cRYBfoozHwC1qgdB/Cfv2XyTkKORtRWAsENB0GSEMkN91:C9XHR0Q4/CGXyTn7AsENBprMMNvX5
Score

10^/10

darkcomet zombie evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometzombieevasionpersistencerattrojan

behavioral2

darkcometzombieevasionpersistencerattrojan