darkcomet | 5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d | Triage

Submit
Reports

Overview

overview

Static

static

Trojan-Ran...er.exe

windows7-x64

Trojan-Ran...er.exe

windows10-2004-x64

Sharing

General

Target

Trojan-Ransom.Win32.Blocker.hrft-5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
Size

339KB
Sample

221106-3q6yeaaedq
MD5

7f193864875f86617fb274d491605645
SHA1

1374a7958b0c596edea03f681402fd3103b233ba
SHA256

5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
SHA512

059bb16deb70152c58314381102dd25e52f53090fcf5f88430bbe953df4e686ee9708316de52944a02e002b7fb99ccc70fa6a2413fd5907d78d52891fcb16492
SSDEEP

6144:AUxA/K7GWMXqLj3BtP6J6TCDEVERm6m35RAzi702eOOaQ/hluADpfO:AUxseGWMXOttP60CDmI9651702eAufO

Score

10^/10

darkcomet vic evasion persistence rat trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Trojan-Ransom.Win32.Blocker.exe

Resource

win7-20220812-en

darkcomet vic evasion persistence rat trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

Trojan-Ransom.Win32.Blocker.exe

Resource

win10v2004-20220901-en

darkcomet vic evasion persistence rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

VIC

C2

tigerbait.no-ip.org:200

Mutex

DC_MUTEX-RTR47PT

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
aYkU1NxKaQm1
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Targets

- Target
  
  Trojan-Ransom.Win32.Blocker.hrft-5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
- Size
  
  339KB
- MD5
  
  7f193864875f86617fb274d491605645
- SHA1
  
  1374a7958b0c596edea03f681402fd3103b233ba
- SHA256
  
  5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
- SHA512
  
  059bb16deb70152c58314381102dd25e52f53090fcf5f88430bbe953df4e686ee9708316de52944a02e002b7fb99ccc70fa6a2413fd5907d78d52891fcb16492
- SSDEEP
  
  6144:AUxA/K7GWMXqLj3BtP6J6TCDEVERm6m35RAzi702eOOaQ/hluADpfO:AUxseGWMXOttP60CDmI9651702eAufO
Score

10^/10

darkcomet vic evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometvicevasionpersistencerattrojanupx

behavioral2

darkcometvicevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy