darkcomet | a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10 | Triage

Resubmissions

05/02/2025, 07:18

250205-h48nyaxnbp 10

01/10/2022, 23:37

221001-3mk7jaddeq 10

Sharing

General

Target

a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
Size

690KB
Sample

221001-3mk7jaddeq
MD5

45bfee45177d62952de9c03f661c4b1a
SHA1

e12804084039f235b768a21594c9e20b9ddb0d1b
SHA256

a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
SHA512

288247162e0cd2dca6e0d51890a70694a2ffaf0b0983f41f0048271c74af16a9eb8175c0e9f6fd91325ca93423aafd6816278e93520308ce53372e4f848f1264
SSDEEP

12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9lI:JZ1xuVVjfFoynPaVBUR8f+kN10EBW

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-7R3QTTQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NPore9Jz402K
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
- Size
  
  690KB
- MD5
  
  45bfee45177d62952de9c03f661c4b1a
- SHA1
  
  e12804084039f235b768a21594c9e20b9ddb0d1b
- SHA256
  
  a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
- SHA512
  
  288247162e0cd2dca6e0d51890a70694a2ffaf0b0983f41f0048271c74af16a9eb8175c0e9f6fd91325ca93423aafd6816278e93520308ce53372e4f848f1264
- SSDEEP
  
  12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9lI:JZ1xuVVjfFoynPaVBUR8f+kN10EBW
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan