darkcomet | 7a7ecaf29b080cf0b0235a470f13ae9abaf361a5298a500b8ed3a75d57853f04 | Triage

Sharing

General

Target

7a7ecaf29b080cf0b0235a470f13ae9abaf361a5298a500b8ed3a75d57853f04
Size

899KB
Sample

221125-k9rnqaff66
MD5

b27c19ec70b1dd4cf494bd51dfdeeb9f
SHA1

d3cbabc40a2cf7e9f74ed837a730037cb3f2641b
SHA256

7a7ecaf29b080cf0b0235a470f13ae9abaf361a5298a500b8ed3a75d57853f04
SHA512

a332e9148af245cf11339e5a3308fa1713cc33a011a110c839442027bd2cd952a38aa95be6e76219386e037270974f236e5f7f5260a0d10628f6285f850a9b4f
SSDEEP

12288:az7LI28qVU4SSUS8cl6crU+39M34LmDbvUyHotFGQajLhcpBGV8XfvbQY6s9i0Vd:afU2pBQ1cx3904rtYgaZkNVd

Score

10^/10

darkcomet ayyýldýztim2 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ayyýldýztim2

C2

ayyildiztim06.dds.net:4919

Mutex

DC_MUTEX-51KGM4F

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
w98gEx0KRcX2
install
true
offline_keylogger
true
persistence
true
reg_key
svchost

Targets

- Target
  
  7a7ecaf29b080cf0b0235a470f13ae9abaf361a5298a500b8ed3a75d57853f04
- Size
  
  899KB
- MD5
  
  b27c19ec70b1dd4cf494bd51dfdeeb9f
- SHA1
  
  d3cbabc40a2cf7e9f74ed837a730037cb3f2641b
- SHA256
  
  7a7ecaf29b080cf0b0235a470f13ae9abaf361a5298a500b8ed3a75d57853f04
- SHA512
  
  a332e9148af245cf11339e5a3308fa1713cc33a011a110c839442027bd2cd952a38aa95be6e76219386e037270974f236e5f7f5260a0d10628f6285f850a9b4f
- SSDEEP
  
  12288:az7LI28qVU4SSUS8cl6crU+39M34LmDbvUyHotFGQajLhcpBGV8XfvbQY6s9i0Vd:afU2pBQ1cx3904rtYgaZkNVd
Score

10^/10

darkcomet ayyýldýztim2 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometayyýldýztim2evasionpersistencerattrojan

behavioral2