darkcomet | 609128309dbf129d8f1cc8e3c14e0c84485a8092d93e17b8a3fc38e37f6f24da | Triage

Submit
Reports

Overview

overview

Static

static

609128309d...da.exe

windows7-x64

609128309d...da.exe

windows10-2004-x64

Sharing

General

Target

609128309dbf129d8f1cc8e3c14e0c84485a8092d93e17b8a3fc38e37f6f24da
Size

663KB
Sample

221126-2qe91sed3s
MD5

e54a1ca1c5c4259ad65bfe9d71e70080
SHA1

d6d388ace093d002dcfadff4daab1bdcdc74bd49
SHA256

609128309dbf129d8f1cc8e3c14e0c84485a8092d93e17b8a3fc38e37f6f24da
SHA512

c15b48d75b8e754f91d12bdb8938579bc814625f83662c4c78df8831af47c775db8368930d45b22acb3d008daacf2e1b9938467cc261a5716ec225391cf5d6ef
SSDEEP

12288:95xELLJZ0iUg9/L2V+7Xg8P99zhUOsNPNKw7fW/SphOY1Ij:9vsVOg98kP90OK7f64hOY1E

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

609128309dbf129d8f1cc8e3c14e0c84485a8092d93e17b8a3fc38e37f6f24da.exe

Resource

win7-20220901-en

darkcomet guest16 persistence rat trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

609128309dbf129d8f1cc8e3c14e0c84485a8092d93e17b8a3fc38e37f6f24da.exe

Resource

win10v2004-20220812-en

darkcomet guest16 persistence rat trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

markben390.no-ip.org:1604

Mutex

DC_MUTEX-UU3AFB4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Di8UpZmPhKYN
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  609128309dbf129d8f1cc8e3c14e0c84485a8092d93e17b8a3fc38e37f6f24da
- Size
  
  663KB
- MD5
  
  e54a1ca1c5c4259ad65bfe9d71e70080
- SHA1
  
  d6d388ace093d002dcfadff4daab1bdcdc74bd49
- SHA256
  
  609128309dbf129d8f1cc8e3c14e0c84485a8092d93e17b8a3fc38e37f6f24da
- SHA512
  
  c15b48d75b8e754f91d12bdb8938579bc814625f83662c4c78df8831af47c775db8368930d45b22acb3d008daacf2e1b9938467cc261a5716ec225391cf5d6ef
- SSDEEP
  
  12288:95xELLJZ0iUg9/L2V+7Xg8P99zhUOsNPNKw7fW/SphOY1Ij:9vsVOg98kP90OK7f64hOY1E
Score

10^/10

darkcomet guest16 persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometguest16persistencerattrojanupx

behavioral2

darkcometguest16persistencerattrojanupx

© 2018-2024

Terms | Privacy