darkcomet | 0bc4dff8709c03d3249dffd1d5ef920ef9dda3ba0f6d2082a9a4ef852526671f | Triage

Sharing

Copy URL Twitter E-mail

General

Target

0bc4dff8709c03d3249dffd1d5ef920ef9dda3ba0f6d2082a9a4ef852526671f
Size

658KB
Sample

221002-sn41xsdfcm
MD5

41c97d1bac6fe5b92dfc8531c71a8920
SHA1

ab23bf913a449d8275fc176a89d1751fc7683e0e
SHA256

0bc4dff8709c03d3249dffd1d5ef920ef9dda3ba0f6d2082a9a4ef852526671f
SHA512

18cea33da291132745cdeed9def70709b1c42c187cd4d1ca2d0be9f4706741b9e0b94e5016cbe9ada2fd8aa3e56b6d3c4cb4d5a8fb985c39759c1472f4664e33
SSDEEP

12288:S9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFV:+iBIGkbxqEcjsWiDxguehC2Su

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

shanxai.no-ip.biz:1604

5.250.133.148:1604

Mutex

DC_MUTEX-8X742L9

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
VD22vU8Tcg5o
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  0bc4dff8709c03d3249dffd1d5ef920ef9dda3ba0f6d2082a9a4ef852526671f
- Size
  
  658KB
- MD5
  
  41c97d1bac6fe5b92dfc8531c71a8920
- SHA1
  
  ab23bf913a449d8275fc176a89d1751fc7683e0e
- SHA256
  
  0bc4dff8709c03d3249dffd1d5ef920ef9dda3ba0f6d2082a9a4ef852526671f
- SHA512
  
  18cea33da291132745cdeed9def70709b1c42c187cd4d1ca2d0be9f4706741b9e0b94e5016cbe9ada2fd8aa3e56b6d3c4cb4d5a8fb985c39759c1472f4664e33
- SSDEEP
  
  12288:S9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFV:+iBIGkbxqEcjsWiDxguehC2Su
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan