darkcomet | dcc7d9e8643c680dc44a2b7b41e5446d5e2c72b5c24a98f29ee157f188144e18 | Triage

Submit
Reports

Overview

overview

Static

static

dcc7d9e864...18.exe

windows7-x64

3

dcc7d9e864...18.exe

windows10-2004-x64

Sharing

General

Target

dcc7d9e8643c680dc44a2b7b41e5446d5e2c72b5c24a98f29ee157f188144e18
Size

720KB
Sample

221119-g4pqdsgf22
MD5

26a918e7cd82bd7a6d996a11f7100201
SHA1

cad5e730805136afd7c5b52779190b4ea31fad1b
SHA256

dcc7d9e8643c680dc44a2b7b41e5446d5e2c72b5c24a98f29ee157f188144e18
SHA512

ce98ff5d2bc9e6dbd10f90d7322c820840d741ca261e09bb58260117155ea8f10f2a0cdb59fb786ae77c521e61de19da671635a960e70f4903040a847b532c2d
SSDEEP

12288:te1irl7a9Gs+Dh+IELDHhDJ9vCG+WW3yW0UEJodMSIpboWagNRUhH11vWDmWd2W8:01irl7aaDhaHBfW3y/UEJo1Ihot2WNvB

Score

10^/10

darkcomet hf evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

dcc7d9e8643c680dc44a2b7b41e5446d5e2c72b5c24a98f29ee157f188144e18.exe

Resource

win7-20221111-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

dcc7d9e8643c680dc44a2b7b41e5446d5e2c72b5c24a98f29ee157f188144e18.exe

Resource

win10v2004-20220812-en

darkcomet hf evasion persistence rat trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

kori.noip.me:1604

Mutex

DC_MUTEX-29YSYXC

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
rCPGBafHwHQh
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  dcc7d9e8643c680dc44a2b7b41e5446d5e2c72b5c24a98f29ee157f188144e18
- Size
  
  720KB
- MD5
  
  26a918e7cd82bd7a6d996a11f7100201
- SHA1
  
  cad5e730805136afd7c5b52779190b4ea31fad1b
- SHA256
  
  dcc7d9e8643c680dc44a2b7b41e5446d5e2c72b5c24a98f29ee157f188144e18
- SHA512
  
  ce98ff5d2bc9e6dbd10f90d7322c820840d741ca261e09bb58260117155ea8f10f2a0cdb59fb786ae77c521e61de19da671635a960e70f4903040a847b532c2d
- SSDEEP
  
  12288:te1irl7a9Gs+Dh+IELDHhDJ9vCG+WW3yW0UEJodMSIpboWagNRUhH11vWDmWd2W8:01irl7aaDhaHBfW3y/UEJo1Ihot2WNvB
Score

10^/10

darkcomet hf evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

darkcomethfevasionpersistencerattrojan

© 2018-2024

Terms | Privacy