darkcomet | 4575e5b3b4067604d9119fec2bb7231e3730b41d90c803cc83d4d063585fcd67 | Triage

Sharing

General

Target

4575e5b3b4067604d9119fec2bb7231e3730b41d90c803cc83d4d063585fcd67
Size

658KB
Sample

221020-lw23zagcfm
MD5

4d741feb2db7c83e46ba8fb968d951ab
SHA1

67d589c07a57ee80cb22243900f4a6d5b35830f0
SHA256

4575e5b3b4067604d9119fec2bb7231e3730b41d90c803cc83d4d063585fcd67
SHA512

de9bcbae241b02510cd79a8b3f3f22d0656f4c6e41fba699b78af20e8fa47cb33cf3bad89581a6cbeda42003bb8ee9615731de04069daa0c610b253a27a9bcfb
SSDEEP

12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hM:qZ1xuVVjfFoynPaVBUR8f+kN10EBu

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

islamicarmy.no-ip.info:1604

Mutex

DC_MUTEX-FZZEX9U

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
1wl39jeFbp1k
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  4575e5b3b4067604d9119fec2bb7231e3730b41d90c803cc83d4d063585fcd67
- Size
  
  658KB
- MD5
  
  4d741feb2db7c83e46ba8fb968d951ab
- SHA1
  
  67d589c07a57ee80cb22243900f4a6d5b35830f0
- SHA256
  
  4575e5b3b4067604d9119fec2bb7231e3730b41d90c803cc83d4d063585fcd67
- SHA512
  
  de9bcbae241b02510cd79a8b3f3f22d0656f4c6e41fba699b78af20e8fa47cb33cf3bad89581a6cbeda42003bb8ee9615731de04069daa0c610b253a27a9bcfb
- SSDEEP
  
  12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hM:qZ1xuVVjfFoynPaVBUR8f+kN10EBu
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan