darkcomet | e105223818104fbf1df9a66c78fb35f56d765347fa77fb4f9d08b25e6b28df81 | Triage

Submit
Reports

Overview

overview

Static

static

1

e105223818...81.exe

windows7-x64

e105223818...81.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

e105223818104fbf1df9a66c78fb35f56d765347fa77fb4f9d08b25e6b28df81
Size

302KB
Sample

221124-erzcysgc95
MD5

ddaeff48446eac4ff2182a6510607433
SHA1

d29bba64d9c69723f475db3024ba3980c66848ba
SHA256

e105223818104fbf1df9a66c78fb35f56d765347fa77fb4f9d08b25e6b28df81
SHA512

fab135e41bc9ba76505ece12ec260e0ed078d28cc76f676f63961321211cbf958e3c40b87a24b7114b919a62ed364978a9b4492a4cf066e7acf3d12eb9ebc5a7
SSDEEP

6144:V4SUjhtojD3csvy1LadlU9xrr4CgGu3UKUmgbeYl3GWldr:uojTJQLaUrryGu3kmgH5GWTr

Score

10^/10

darkcomet hamz evasion persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e105223818104fbf1df9a66c78fb35f56d765347fa77fb4f9d08b25e6b28df81.exe

Resource

win7-20221111-en

darkcomet hamz evasion persistence rat trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

e105223818104fbf1df9a66c78fb35f56d765347fa77fb4f9d08b25e6b28df81.exe

Resource

win10v2004-20221111-en

darkcomet hamz evasion persistence rat trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Hamz

C2

gwapothenano.ddns.net:1604

Mutex

DC_MUTEX-HAMZL64

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ebKkTMvpPw37
install
true
offline_keylogger
true
persistence
true
reg_key
mccsiwin

Targets

- Target
  
  e105223818104fbf1df9a66c78fb35f56d765347fa77fb4f9d08b25e6b28df81
- Size
  
  302KB
- MD5
  
  ddaeff48446eac4ff2182a6510607433
- SHA1
  
  d29bba64d9c69723f475db3024ba3980c66848ba
- SHA256
  
  e105223818104fbf1df9a66c78fb35f56d765347fa77fb4f9d08b25e6b28df81
- SHA512
  
  fab135e41bc9ba76505ece12ec260e0ed078d28cc76f676f63961321211cbf958e3c40b87a24b7114b919a62ed364978a9b4492a4cf066e7acf3d12eb9ebc5a7
- SSDEEP
  
  6144:V4SUjhtojD3csvy1LadlU9xrr4CgGu3UKUmgbeYl3GWldr:uojTJQLaUrryGu3kmgH5GWTr
Score

10^/10

darkcomet hamz evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethamzevasionpersistencerattrojanupx

behavioral2

darkcomethamzevasionpersistencerattrojanupx

© 2018-2025

Terms | Privacy