darkcomet | a33cbd49aa35873101d5cac1877e07d0232af35799e5f63ab75620815584964d | Triage

Sharing

General

Target

a33cbd49aa35873101d5cac1877e07d0232af35799e5f63ab75620815584964d
Size

816KB
Sample

221003-q8mw2aaad7
MD5

4f6043484f70bd54528c9193bcea630b
SHA1

a325f7a8fc036993a4e50d2aabdf677d46f5c193
SHA256

a33cbd49aa35873101d5cac1877e07d0232af35799e5f63ab75620815584964d
SHA512

4eced6cd643f9758e1e1c5f227c3471155a935feaff0e9adbcd4c8457c7a409ae3eab5102a6f5de01317da2edd3b44243fd49663a146bd7d5133c35e3dec0390
SSDEEP

24576:BJux1FoXBnpw8bzRhObDkvEbSDKC2UmKO7ZN/W:OxfYBny0zD0DkvG8mKQtW

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

linuxer.no-ip.org:81

linuxer.no-ip.org:90

linuxer.no-ip.org:100

linuxer.no-ip.org:80

linuxer.no-ip.org:443

Mutex

DC_MUTEX-MNKECC8

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
vk5iaHrP4wKn
install
true
offline_keylogger
true
password
study!@#
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  a33cbd49aa35873101d5cac1877e07d0232af35799e5f63ab75620815584964d
- Size
  
  816KB
- MD5
  
  4f6043484f70bd54528c9193bcea630b
- SHA1
  
  a325f7a8fc036993a4e50d2aabdf677d46f5c193
- SHA256
  
  a33cbd49aa35873101d5cac1877e07d0232af35799e5f63ab75620815584964d
- SHA512
  
  4eced6cd643f9758e1e1c5f227c3471155a935feaff0e9adbcd4c8457c7a409ae3eab5102a6f5de01317da2edd3b44243fd49663a146bd7d5133c35e3dec0390
- SSDEEP
  
  24576:BJux1FoXBnpw8bzRhObDkvEbSDKC2UmKO7ZN/W:OxfYBny0zD0DkvG8mKQtW
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

darkcometguest16evasionpersistencerattrojan