darkcomet | 382b933ad1424dd06b56ddc316bf53caa3873e11d0d6f345babf8060419f50f7 | Triage

Sharing

General

Target

382b933ad1424dd06b56ddc316bf53caa3873e11d0d6f345babf8060419f50f7
Size

711KB
Sample

221125-2xjk1sga7z
MD5

fcb118e3ee27ad7312eea77522dae022
SHA1

c0bc2d726ca7455f2a93ea604d04f429a45d8b64
SHA256

382b933ad1424dd06b56ddc316bf53caa3873e11d0d6f345babf8060419f50f7
SHA512

b0aaba3ed1773e1adfc8b50a2c0f9ade5bb5f606fea40081810d822dd174cb62ac67a6d73b43a25eb74938298b2e7fdf8f27ccdbb7b90c8bf63db36fa4b6405f
SSDEEP

12288:U4w9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h:UNZ1xuVVjfFoynPaVBUR8f+kN10EB

Score

10^/10

darkcomet idm trial evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

IDM Trial

C2

kaz.uk.to:1604

kfull500.ddns.net:1604

Mutex

DC_MUTEX-CXHTKCF

Attributes

InstallPath
svchost.scr
gencode
cykkmaBsLzRA
install
true
offline_keylogger
true
persistence
true
reg_key
msua

Targets

- Target
  
  382b933ad1424dd06b56ddc316bf53caa3873e11d0d6f345babf8060419f50f7
- Size
  
  711KB
- MD5
  
  fcb118e3ee27ad7312eea77522dae022
- SHA1
  
  c0bc2d726ca7455f2a93ea604d04f429a45d8b64
- SHA256
  
  382b933ad1424dd06b56ddc316bf53caa3873e11d0d6f345babf8060419f50f7
- SHA512
  
  b0aaba3ed1773e1adfc8b50a2c0f9ade5bb5f606fea40081810d822dd174cb62ac67a6d73b43a25eb74938298b2e7fdf8f27ccdbb7b90c8bf63db36fa4b6405f
- SSDEEP
  
  12288:U4w9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h:UNZ1xuVVjfFoynPaVBUR8f+kN10EB
Score

10^/10

darkcomet idm trial evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometidm trialevasionpersistencerattrojan

behavioral2

darkcometidm trialevasionpersistencerattrojan