darkcomet | ea7a82681cd48571895600fc83f4a397ab53e420a48c1182c7afcdded1261c20 | Triage

Sharing

General

Target

ea7a82681cd48571895600fc83f4a397ab53e420a48c1182c7afcdded1261c20
Size

2.6MB
Sample

221123-s1exkacg22
MD5

53dd257a8dc01c1bd6b30aabba15e298
SHA1

cf3c3edf42001185e713f7ccca748bfd64e8c19d
SHA256

ea7a82681cd48571895600fc83f4a397ab53e420a48c1182c7afcdded1261c20
SHA512

55f9c9b5e91814ad0bb3529b8fe8dca0a236c861099f734336d1f33ebc5ae2047492dc80c79f8f7a93f983673987b55a00838d135a005c83a389b5f451bbf3cb
SSDEEP

49152:OK8HEKuGsYG29+ycdwnVAT/jLY95i6vrNjhYRF3x3w1x2f:OK8HphJV9XczTss6vZho3xm

Score

10^/10

darkcomet defors prvi crypt persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Prvi crypt

C2

gogica.no-ip.org:2203

Mutex

DC_MUTEX-X1X9GKX

Attributes

gencode
xvV9rrEjdJiv
install
false
offline_keylogger
true
persistence
false

Extracted

Family

darkcomet

Botnet

DEFORS

C2

rsnoip.ddns.net:1997

Mutex

DCMIN_MUTEX-C5RDYJH

Attributes

gencode
NToT30g4twDC
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  ea7a82681cd48571895600fc83f4a397ab53e420a48c1182c7afcdded1261c20
- Size
  
  2.6MB
- MD5
  
  53dd257a8dc01c1bd6b30aabba15e298
- SHA1
  
  cf3c3edf42001185e713f7ccca748bfd64e8c19d
- SHA256
  
  ea7a82681cd48571895600fc83f4a397ab53e420a48c1182c7afcdded1261c20
- SHA512
  
  55f9c9b5e91814ad0bb3529b8fe8dca0a236c861099f734336d1f33ebc5ae2047492dc80c79f8f7a93f983673987b55a00838d135a005c83a389b5f451bbf3cb
- SSDEEP
  
  49152:OK8HEKuGsYG29+ycdwnVAT/jLY95i6vrNjhYRF3x3w1x2f:OK8HphJV9XczTss6vZho3xm
Score

10^/10

darkcomet defors prvi crypt persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdeforsprvi cryptpersistencerattrojan

behavioral2

darkcometdeforsprvi cryptpersistencerattrojan