darkcomet

Sharing

Copy URL

Twitter E-mail

General

Target

84a8c0c110ac9ee5511ef0220cbec96ef4fa08cbfbaeffb186573d66455dac2d
Size

1.5MB
Sample

221126-a9l35aag46
MD5

f95d0ab5850dd45fe2f0b2a9eff2b142
SHA1

c892d4d387f6883d032ff19fa6de2b175eedcf61
SHA256

84a8c0c110ac9ee5511ef0220cbec96ef4fa08cbfbaeffb186573d66455dac2d
SHA512

778edad318cacf00a00e336f55a4dfea45df5b81ece219368aeaaba1bbaa3d0a07ba7859cae8661cd8d75f5a98721ecd91511dd21e6969eb42d2aad61e254778
SSDEEP

49152:2pxCzeA1aYFwfk1xcT0BmPxgISAzryF2ZX8ok5L:2pxUhaJf2c8Qb1UN

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

alavera.no-ip.org:1604

Mutex

DC_MUTEX-QWLGHR9

Attributes

gencode
cEQ4P3g3EQgo
install
false
offline_keylogger
true
password
alavera1230147
persistence
false

Targets

- Target
  
  PipeCmd.exe
- Size
  
  40KB
- MD5
  
  970078b1a1d69f05bcd3944eb96a16b9
- SHA1
  
  64403ce63b28b544646a30da3be2f395788542d6
- SHA256
  
  cc1dda48929249b701305faea3619036cba29007a6db2a9aec6b8c05868ab1e6
- SHA512
  
  1eeb54f2b43140c659abe2f6b176e4aea0a0578cedfa21fa0c4011b6ab49eb129538a98adcabbbccc6f1004894a8135273dea15475240e688abbce1d75525c21
- SSDEEP
  
  384:jzc/9NSRix4fULMWru4xxkO3KnUF/02m44:jzc/bSm4uMW1xGoKnUx044
Score

1^/10
behavioral1 behavioral2
- Target
  
  heibai.net.htm
- Size
  
  3KB
- MD5
  
  64e775b57484547a8685a37f143e5d31
- SHA1
  
  e215b532666b3b7954943e4e2558190bd0583f78
- SHA256
  
  9ffaaf46f0ea054bd916f7c141b5390f04b0c25615a1210cf2b58d43a3b61eff
- SHA512
  
  af35f82b76fb486ffb4cccf397e178b81a942e1c9be4538c9d1434fcaf3ac6d438dd9b83113b9477729183efc74caf08e74ba651e542d1a9214f6e569dae2848
Score

1^/10
behavioral3 behavioral4
- Target
  
  hscan 1.2.exe
- Size
  
  1.1MB
- MD5
  
  de36d61f265e209ee8c09ee662a8cd9b
- SHA1
  
  87697005b5e52f391d13e313836106ad778edff6
- SHA256
  
  ee4b726c7bc356500183f5e17d8ce6f39ce55a72c46c4beeed3435bf0460210b
- SHA512
  
  6cc6f271904242c61134e4ef00920b432bc8a8c96594ed3ccf5d90263b0affd802e8612e26c60089239b894f0934f45c7f93908734c1c8b47b678c4722c9e113
- SSDEEP
  
  24576:NJGb3smSibRvFYXgkI+BuZFn5PZF34DRvM:3m3msSwV+BwZFo9
Score

10^/10

darkcomet 22 persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  hscangui.exe
- Size
  
  124KB
- MD5
  
  42be6717898901b0dc245800a219a3d1
- SHA1
  
  af8aced0a78e1181f4c307c78402481a589f8d07
- SHA256
  
  c9ec10f0be2bc81c2f3703b9b258a55f662d7fd78e4be0c3e24a6f2502978ddc
- SHA512
  
  4848f98f1a633cee19a38f83a11a35b5a18dfb9f0250413b1077c1dd38ab2305997a52b1d6eee78a862109f604fc1f24f2ff01badb3beabe11141bcf8e967ef8
- SSDEEP
  
  1536:MP4EawbCxws7yDKZvB+Dk1BTqgM35r9zN8PZlmuMJYqOgvP3/QXL:YKZ5+Dk13+qP/yl/HvQXL
Score

1^/10
behavioral7 behavioral8
- Target
  
  libmySQL.dll
- Size
  
  228KB
- MD5
  
  5c82aa0811d81b4caf189bc70f59d86d
- SHA1
  
  33552fda4d682ed39f9408e8bfb3c7fac9ee5659
- SHA256
  
  68dd7744114dd579cf5748d0a8e27ac9e7c83ef7fa7245786630ec69a286c090
- SHA512
  
  f23a7db670415e1bfd9b6d92ae65f427900696b4aa608ca236025f08f9f7e6ada397403fbb7b26796796edc55f351ea36a53eeb917e30aa80ab16e7fb6b242de
- SSDEEP
  
  6144:E2liPBy0LYtmcn7Ce5GfeAHC7Qea/6Dnegz:Flipy0L2mEj5GG3a/Qz
Score

3^/10
behavioral10 behavioral9
- Target
  
  oncrpc.dll
- Size
  
  68KB
- MD5
  
  be32939c3ad523129d84cf35a4f9641d
- SHA1
  
  e8f047eed8d4f6d2f5dbaffdd0e6e4a09c5298a2
- SHA256
  
  43ad6f6fc581dabc73f5da8ea691281bd0a28a413865dcb353772394a28f3445
- SHA512
  
  ed1ecb3d972a44dda3b720a7c4f56418908f83708fa926c39cc2998dd03da26d3c1303241d1288c748027a0db353a0670478093b4f04ce26c2f319e28c900fba
- SSDEEP
  
  1536:6QqKkdcFLkqJhmR56ONl24Xf2FCDEt1eGni:7jgq/hOL24XOFyI3i
Score

1^/10
behavioral11 behavioral12
- Target
  
  report/192.168.0.154-192.168.0.154.html
- Size
  
  1KB
- MD5
  
  f190462776444af0c1642aca8c801a8a
- SHA1
  
  df9eab3c23b0644041d8b7a9407c2103ab7aee7b
- SHA256
  
  af810b614ddc4935b1cbff82f51973e38213b9cdd9d61a7bba143c195711ce2e
- SHA512
  
  5395b0d679a796eadd8ae4fd421f678283d30ee5f4eeea99ed8ce0f47f83a3fd1c07d944dafbf749ec4b01513e5fbea81391053ee5d2557fba50be3d2f7a8096
Score

1^/10
behavioral13 behavioral14
- Target
  
  tools/NTCmd.exe
- Size
  
  36KB
- MD5
  
  4a9509c2d86a6b782df2837506015a3d
- SHA1
  
  a3ae8659b9a673aa346a60844208b371f7c05e3c
- SHA256
  
  f38cf1ce798e6a12ade9c196356d30ef5c8eadc99e34503644b53774dd9a0590
- SHA512
  
  9ead146bf5ae2d372e9d3f73d417f8ac8243c7cccc582c5448cdc77fd43879b728e9fd658769037dafd167f20340554127ea0b6e8f76f48efe6fa905ed1ac5a8
- SSDEEP
  
  384:JZKv/OOfkqTBUS04GcGzDml2HBLnoOMamtvFPm06pV1nOrvB6gkyDm73oieVux9c:J4nOOVBUWVfamtvFIdnOrsjyux9o7
Score

1^/10
behavioral15 behavioral16
- Target
  
  tools/Sqlcmd.exe
- Size
  
  32KB
- MD5
  
  bd368d2021f80055e62882768250df92
- SHA1
  
  99d56476e539750c599f76391d717c51c4955a33
- SHA256
  
  5ceae85b375e516adb38bcfcfe082b3aef76ad18712e2ee7e52acee35c17eb43
- SHA512
  
  c40795c456002747dffc774aa1f45a1e1922819d779a2b7595a1158dc56d9fe63658fe6c475a43d26adf79439ef161aa3afa6d13f1032f0f9d082ffb391091a1
- SSDEEP
  
  384:Fn7rbyjQT1cSUJhGEhYmlS5eRysypg9qffx3GkAoZo+n:Br2q1c3MEl2pg9qfp3GPo2+
Score

1^/10
behavioral17 behavioral18
- Target
  
  tools/cygwinb19.dll
- Size
  
  653KB
- MD5
  
  d388339d43a0e83c6effd1de09a91c30
- SHA1
  
  3988bddacf90569886a2505ec6eef8faf1c61df6
- SHA256
  
  61f3bd4efe4de44664eea151202542f058e2e247e28dcea4e5ac810a73d251f4
- SHA512
  
  83b61b44c20cabea1b7841d47a156e406f438023bbab4d35a9a90a1bff377da688e18841a39087c06182a2f0d428dd6b82783536ac99936d98f665fc1af3966c
- SSDEEP
  
  12288:ZBcweFLCwKDMpvVEiDTf5SUd9aw8s+r53fMyPMh39coCtE:D7twruiDTfT0w8s+93bPwcfy
Score

1^/10
behavioral19 behavioral20
- Target
  
  tools/mysql.exe
- Size
  
  326KB
- MD5
  
  ab9e515e0368d649741859a2dde0d7cf
- SHA1
  
  33e3f4bea31df01d67bdadf49b683670fdc04209
- SHA256
  
  87adca958b90b161bd0358386fab5834cd34f12af111f09b827fe99c1c48b969
- SHA512
  
  9537979bb28cb6449334759a0123e085d43c9e4b9c93b7276570d0e93bec2f463131ecc984a01acc7f483e629ba3958465f1d9fe53bca41658c0cca853c88cc0
- SSDEEP
  
  6144:36Cmsj/XggGwiNUwhVM2T0QNAVAUS37bMcdJaVm+jUlASBaKcCP63zA0iZdlv66B:36Cmsj/X8BNUwLM2T0QNAGUS37bMKJyW
Score

1^/10
behavioral21 behavioral22

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Uses the VBS compiler for execution

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22