darkcomet | 78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec | Triage

Sharing

General

Target

78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
Size

706KB
Sample

221125-jgqehsbd92
MD5

4f4b1fdf7716475598b85aa697bde79f
SHA1

75636e3ab42f9ce94d67ad10358fe6b0f155032c
SHA256

78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
SHA512

63662fe4c6003c36d4482b08ef46257a13ebdae69b560f3360f5ff68d0c881fd6627cd0cc65a0dbba9a7e9cec89003de713d11347b7695d7068fd86b334c3101
SSDEEP

12288:7F1jyJiIb0ViydLd21typH/f980yy0EMZOJG9ZCWPYkpGYnRDQPdp+RQCdFawpYt:Xyh0VtJp39LywMLjPxpGYZqjGdF7pYt

Score

10^/10

darkcomet warbox hack evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Warbox Hack

C2

rique.ddns.net:1509

rique.ddns.net:1510

Mutex

DC_MUTEX-G286DKR

Attributes

InstallPath
NETFramework\mscorsvw.exe
gencode
56z1nPkRsoaD
install
true
offline_keylogger
true
password
09012000
persistence
true
reg_key
mscorsvw

Targets

- Target
  
  78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
- Size
  
  706KB
- MD5
  
  4f4b1fdf7716475598b85aa697bde79f
- SHA1
  
  75636e3ab42f9ce94d67ad10358fe6b0f155032c
- SHA256
  
  78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
- SHA512
  
  63662fe4c6003c36d4482b08ef46257a13ebdae69b560f3360f5ff68d0c881fd6627cd0cc65a0dbba9a7e9cec89003de713d11347b7695d7068fd86b334c3101
- SSDEEP
  
  12288:7F1jyJiIb0ViydLd21typH/f980yy0EMZOJG9ZCWPYkpGYnRDQPdp+RQCdFawpYt:Xyh0VtJp39LywMLjPxpGYZqjGdF7pYt
Score

10^/10

darkcomet warbox hack evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometwarbox hackevasionpersistencerattrojan

behavioral2

darkcometwarbox hackevasionpersistencerattrojan