darkcomet | dafd48ba32f46c2c6b16e6ee8b583d016b52181a5cd0593f19a691388a828eb7 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

dafd48ba32f46c2c6b16e6ee8b583d016b52181a5cd0593f19a691388a828eb7
Size

788KB
Sample

221126-cf99zadf43
MD5

2fffaee88dcbe7bb3916dc750300621c
SHA1

a3e4c4a09e3da891d9cf7fdb255e5f611283bb44
SHA256

dafd48ba32f46c2c6b16e6ee8b583d016b52181a5cd0593f19a691388a828eb7
SHA512

4851dda70172dc079b907376525103c25a6cb08deb116a9cab361cd5afa990c3bc6e7e63df3d50ee38e223ef9efa213bd95f6ce08cb83f1a9a81c75f18ae5f34
SSDEEP

24576:lZ1xuVVjfFoynPaVBUR8f+kN10EBXMxkTG:/QDgok302bTG

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

46.250.2.101:1604

Mutex

DC_MUTEX-HG6V7Q9

Attributes

InstallPath
MSDCSC\windowssystem.exe
gencode
Ax9lEl8tBlee
install
true
offline_keylogger
true
persistence
false
reg_key
windowssystem

Targets

- Target
  
  dafd48ba32f46c2c6b16e6ee8b583d016b52181a5cd0593f19a691388a828eb7
- Size
  
  788KB
- MD5
  
  2fffaee88dcbe7bb3916dc750300621c
- SHA1
  
  a3e4c4a09e3da891d9cf7fdb255e5f611283bb44
- SHA256
  
  dafd48ba32f46c2c6b16e6ee8b583d016b52181a5cd0593f19a691388a828eb7
- SHA512
  
  4851dda70172dc079b907376525103c25a6cb08deb116a9cab361cd5afa990c3bc6e7e63df3d50ee38e223ef9efa213bd95f6ce08cb83f1a9a81c75f18ae5f34
- SSDEEP
  
  24576:lZ1xuVVjfFoynPaVBUR8f+kN10EBXMxkTG:/QDgok302bTG
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan