darkcomet | 34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313 | Triage

Submit
Reports

Overview

overview

Static

static

34e3b02947...13.exe

windows7-x64

34e3b02947...13.exe

windows10-2004-x64

Sharing

General

Target

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313
Size

2.8MB
Sample

221128-ahxesaab36
MD5

c633939e77b5cad28435cd6d1992f733
SHA1

beb9eb6895f973e8652f93ec792ce899653e07f2
SHA256

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313
SHA512

a7dda52d2d62c51fd7e4a4e326a159f1ee16789fad0db98742c89003de20c7989b6f1aa37dd318e2e9091a749449b2335799740861019f57358d08b09f958fb3
SSDEEP

49152:3v5eYSm++WEQybtwVgRKwK9Svaj4u05l0Cs/zRHXK4M1RRTM88z04g8crAc+f8:/NSm++WE1dRKpSSj05l0Cs/zRHXK4M1f

Score

10^/10

darkcomet word persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

Resource

win7-20221111-en

darkcomet word persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

Resource

win10v2004-20220812-en

darkcomet word persistence rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

word

C2

markben390.no-ip.org:1604

Mutex

DCMIN_MUTEX-WG79R6U

Attributes

gencode
QUoBsi7XUpPd
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313
- Size
  
  2.8MB
- MD5
  
  c633939e77b5cad28435cd6d1992f733
- SHA1
  
  beb9eb6895f973e8652f93ec792ce899653e07f2
- SHA256
  
  34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313
- SHA512
  
  a7dda52d2d62c51fd7e4a4e326a159f1ee16789fad0db98742c89003de20c7989b6f1aa37dd318e2e9091a749449b2335799740861019f57358d08b09f958fb3
- SSDEEP
  
  49152:3v5eYSm++WEQybtwVgRKwK9Svaj4u05l0Cs/zRHXK4M1RRTM88z04g8crAc+f8:/NSm++WE1dRKpSSj05l0Cs/zRHXK4M1f
Score

10^/10

darkcomet word persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometwordpersistencerattrojan

behavioral2

darkcometwordpersistencerattrojan

© 2018-2024

Terms | Privacy