darkcomet | 7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc | Triage

Submit
Reports

Overview

overview

Static

static

5

7c5a0a556d...dc.exe

windows7-x64

7c5a0a556d...dc.exe

windows10-2004-x64

Sharing

General

Target

7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
Size

1.5MB
Sample

221126-ckxjnshb2x
MD5

d538e0d54e60e10395575cad37ebe192
SHA1

2bbc96bfe9feaddd84a6e6b1fca1ebd2fc922313
SHA256

7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
SHA512

506dcf8faaf245e2030d4a46e7385033f386c38adb73751493f534e126ce2afb656d0b4c4aa0919fb63d36d11f7724cd4f639f678ef185030a3497e74cb85d1c
SSDEEP

24576:Mtb20pkaCqT5TBWgNQ7aIqudDUo3IR9S2DIe6wMFZum5HKg6A:1Vg5tQ7a6QSxee5H75

Score

10^/10

darkcomet btc persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc.exe

Resource

win7-20220812-en

darkcomet btc persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc.exe

Resource

win10v2004-20220812-en

darkcomet btc persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

BTC

C2

zw23.hopper.pw:64202

Mutex

DC_MUTEX-GGA8YL2

Attributes

InstallPath
svchost\svchost.exe
gencode
lWvefMLzfSyz
install
true
offline_keylogger
true
persistence
true
reg_key
Host Process for Windows Services

Targets

- Target
  
  7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
- Size
  
  1.5MB
- MD5
  
  d538e0d54e60e10395575cad37ebe192
- SHA1
  
  2bbc96bfe9feaddd84a6e6b1fca1ebd2fc922313
- SHA256
  
  7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
- SHA512
  
  506dcf8faaf245e2030d4a46e7385033f386c38adb73751493f534e126ce2afb656d0b4c4aa0919fb63d36d11f7724cd4f639f678ef185030a3497e74cb85d1c
- SSDEEP
  
  24576:Mtb20pkaCqT5TBWgNQ7aIqudDUo3IR9S2DIe6wMFZum5HKg6A:1Vg5tQ7a6QSxee5H75
Score

10^/10

darkcomet btc persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometbtcpersistencerattrojan

behavioral2

darkcometbtcpersistencerattrojan

© 2018-2024

Terms | Privacy