darkcomet | a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d
Size

1.2MB
Sample

221019-1xsy1sadhn
MD5

a241280d074124e3fa5d05bb2cba8e6e
SHA1

44a4ee61a0f9e647ada2b858942a95b947f05c47
SHA256

a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d
SHA512

be91faeca248ce4e97cf38461b2960f834c513cfae1f8e77fa2df5d702417c256cf9fb368d26428cec1246373f5f9bbf429eeed2a4e92ebfa0df8ad35fc27a83
SSDEEP

12288:wgBvvNVR2ZI0FjCSxOpe3HJaXDngYw89UwmTYjPkgmJFxT6MPUYIAMBQaO9cOCaB:zvzRRwOpXDngYoY8j/UEFcyp0VxPN+r

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.254.104:1604

ford1981.no-ip.org:1604

Mutex

DC_MUTEX-2V3YSWB

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
aWbR1AewgYg4
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d
- Size
  
  1.2MB
- MD5
  
  a241280d074124e3fa5d05bb2cba8e6e
- SHA1
  
  44a4ee61a0f9e647ada2b858942a95b947f05c47
- SHA256
  
  a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d
- SHA512
  
  be91faeca248ce4e97cf38461b2960f834c513cfae1f8e77fa2df5d702417c256cf9fb368d26428cec1246373f5f9bbf429eeed2a4e92ebfa0df8ad35fc27a83
- SSDEEP
  
  12288:wgBvvNVR2ZI0FjCSxOpe3HJaXDngYw89UwmTYjPkgmJFxT6MPUYIAMBQaO9cOCaB:zvzRRwOpXDngYoY8j/UEFcyp0VxPN+r
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan