darkcomet | 9831f2cac9abdd1cbbbf99c023622ee392cf18ce4f05f8f92847f12c089500f6 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

9831f2cac9abdd1cbbbf99c023622ee392cf18ce4f05f8f92847f12c089500f6
Size

991KB
Sample

221003-3jb5fsccf7
MD5

63e9ad903ec2cf825ed59b612fe17500
SHA1

fb86144ce0e7e08b9de0cdfa5301d1285c324a5d
SHA256

9831f2cac9abdd1cbbbf99c023622ee392cf18ce4f05f8f92847f12c089500f6
SHA512

eddf3980a8a9731d1533c5126f182071c6f0670dc4c24a4461a2787094e4fc7839c4711adde17a93fbc0deb00db98248ea1f031ac9c53a33f6db9464b63b83f9
SSDEEP

24576:ZqpwLFgPdVmkwoqtJKSKnRskWjY9Lk5JMmX:ZqpxdVcoyKSKn2jyLk5S2

Score

10^/10

darkcomet dota2 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Dota2

C2

proborder1.ddns.net:1604

Mutex

DC_MUTEX-CYVMWW6

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
lSY40Zh8BYov
install
true
offline_keylogger
true
persistence
false
reg_key
svhost.exe

Targets

- Target
  
  9831f2cac9abdd1cbbbf99c023622ee392cf18ce4f05f8f92847f12c089500f6
- Size
  
  991KB
- MD5
  
  63e9ad903ec2cf825ed59b612fe17500
- SHA1
  
  fb86144ce0e7e08b9de0cdfa5301d1285c324a5d
- SHA256
  
  9831f2cac9abdd1cbbbf99c023622ee392cf18ce4f05f8f92847f12c089500f6
- SHA512
  
  eddf3980a8a9731d1533c5126f182071c6f0670dc4c24a4461a2787094e4fc7839c4711adde17a93fbc0deb00db98248ea1f031ac9c53a33f6db9464b63b83f9
- SSDEEP
  
  24576:ZqpwLFgPdVmkwoqtJKSKnRskWjY9Lk5JMmX:ZqpxdVcoyKSKn2jyLk5S2
Score

10^/10

darkcomet dota2 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdota2evasionpersistencerattrojan

behavioral2

darkcometdota2evasionpersistencerattrojan