darkcomet | f6fc7c02b1bce7cc7122b33a5ed8b3d62e4556a31ae552de3ba647ee3f9fb909 | Triage

Submit
Reports

Overview

overview

Static

static

f6fc7c02b1...09.exe

windows7-x64

f6fc7c02b1...09.exe

windows10-2004-x64

Sharing

General

Target

f6fc7c02b1bce7cc7122b33a5ed8b3d62e4556a31ae552de3ba647ee3f9fb909
Size

415KB
Sample

221020-xw7t1aahcr
MD5

a00a91d2ba20115b3703eeaecbccdec0
SHA1

caee7a7c7028aee84b2dcc9d26bc9beab713210d
SHA256

f6fc7c02b1bce7cc7122b33a5ed8b3d62e4556a31ae552de3ba647ee3f9fb909
SHA512

8af970b4e655adab2c979f66f01bdfe6189e099165a51247251654d533d25db0ff293e14dc3e40a8e886eb5983b97f2c7cca2d9fb97c94137868727245762247
SSDEEP

6144:5s5FPpcaThyso/4jKzw4wXbVkbS2xXBVA2ijUmi81tkyxbYWgOvWBK:qrPp1TFZEsb52xRVNN81eyxYWgOOBK

Score

10^/10

darkcomet hf evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

f6fc7c02b1bce7cc7122b33a5ed8b3d62e4556a31ae552de3ba647ee3f9fb909.exe

Resource

win7-20220812-en

darkcomet hf evasion persistence rat trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

f6fc7c02b1bce7cc7122b33a5ed8b3d62e4556a31ae552de3ba647ee3f9fb909.exe

Resource

win10v2004-20220812-en

darkcomet hf evasion persistence rat trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

steine.no-ip.biz:333

Mutex

DC_MUTEX-QAVBPMS

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
7ChNXBdU8LBi
install
true
offline_keylogger
true
persistence
true
reg_key
Sytem32dll

Targets

- Target
  
  f6fc7c02b1bce7cc7122b33a5ed8b3d62e4556a31ae552de3ba647ee3f9fb909
- Size
  
  415KB
- MD5
  
  a00a91d2ba20115b3703eeaecbccdec0
- SHA1
  
  caee7a7c7028aee84b2dcc9d26bc9beab713210d
- SHA256
  
  f6fc7c02b1bce7cc7122b33a5ed8b3d62e4556a31ae552de3ba647ee3f9fb909
- SHA512
  
  8af970b4e655adab2c979f66f01bdfe6189e099165a51247251654d533d25db0ff293e14dc3e40a8e886eb5983b97f2c7cca2d9fb97c94137868727245762247
- SSDEEP
  
  6144:5s5FPpcaThyso/4jKzw4wXbVkbS2xXBVA2ijUmi81tkyxbYWgOvWBK:qrPp1TFZEsb52xRVNN81eyxYWgOOBK
Score

10^/10

darkcomet hf evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomethfevasionpersistencerattrojanupx

behavioral2

darkcomethfevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy