darkcomet | ef878a92695f129fdcbbe3fa24322aa28b25a178c5634e7986c912794df14c05 | Triage

Sharing

General

Target

ef878a92695f129fdcbbe3fa24322aa28b25a178c5634e7986c912794df14c05
Size

864KB
Sample

221123-s7d9lsdc27
MD5

17875d9e3865227c6ccaf732edc01906
SHA1

8c35f0870026545d60ae68f488f8bb5b97a3da1d
SHA256

ef878a92695f129fdcbbe3fa24322aa28b25a178c5634e7986c912794df14c05
SHA512

a6fa0ac5b5846e0e34e2cc2fd22ceef56bc14cdd03dc0926b360927c438939dff64a2ca1564da6b93f5fbe115156809076cf10179c500379368dac612d22a14b
SSDEEP

24576:eJJ/vxZRvmGa0/xHP8ueilAKw4uBhfmrlHj:w/JZRDzpHP8uf6pmdj

Score

10^/10

darkcomet dc8-23 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DC8-23

C2

dctx.duckdns.org:200

Mutex

DC_MUTEX-P8HGWPL

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
TBEQV3sBL45t
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  ef878a92695f129fdcbbe3fa24322aa28b25a178c5634e7986c912794df14c05
- Size
  
  864KB
- MD5
  
  17875d9e3865227c6ccaf732edc01906
- SHA1
  
  8c35f0870026545d60ae68f488f8bb5b97a3da1d
- SHA256
  
  ef878a92695f129fdcbbe3fa24322aa28b25a178c5634e7986c912794df14c05
- SHA512
  
  a6fa0ac5b5846e0e34e2cc2fd22ceef56bc14cdd03dc0926b360927c438939dff64a2ca1564da6b93f5fbe115156809076cf10179c500379368dac612d22a14b
- SSDEEP
  
  24576:eJJ/vxZRvmGa0/xHP8ueilAKw4uBhfmrlHj:w/JZRDzpHP8uf6pmdj
Score

10^/10

darkcomet dc8-23 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Hidden Files and Directories

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdc8-23evasionpersistencerattrojan

behavioral2

darkcometdc8-23evasionpersistencerattrojan