darkcomet | 5ab49a8cbeef6d8e5d3d4261500db2f777184b62336fdf0c293f3d0205e2d983 | Triage

Submit
Reports

Overview

overview

Static

static

5ab49a8cbe...83.exe

windows7-x64

5ab49a8cbe...83.exe

windows10-2004-x64

Sharing

General

Target

5ab49a8cbeef6d8e5d3d4261500db2f777184b62336fdf0c293f3d0205e2d983
Size

699KB
Sample

221128-bhn9vacg47
MD5

d89d42c4b35422d886920d2e299f75c3
SHA1

8199dbef1e1a6e016f535ae2e464b0c9d52d8000
SHA256

5ab49a8cbeef6d8e5d3d4261500db2f777184b62336fdf0c293f3d0205e2d983
SHA512

95e10b82bb60810b34ae3a26e839f7f0964eea43d3351784892dc2e15e2c56f4183c3afafcbbb589b0b62f0bd892a22f1b58627a7754b17834e96319ed8e8752
SSDEEP

12288:TmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFr9HMeF:TBIGkbxqEcjsWiDxguehC2Swj

Score

10^/10

darkcomet neshta guest16 persistence rat spyware stealer trojan

Static task

static1

neshta darkcomet

3 signatures

Behavioral task

behavioral1

Sample

5ab49a8cbeef6d8e5d3d4261500db2f777184b62336fdf0c293f3d0205e2d983.exe

Resource

win7-20220901-en

darkcomet neshta guest16 persistence rat spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

5ab49a8cbeef6d8e5d3d4261500db2f777184b62336fdf0c293f3d0205e2d983.exe

Resource

win10v2004-20220812-en

darkcomet neshta guest16 persistence rat spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

46.172.124.11:25565

Mutex

DC_MUTEX-4RH9W5R

Attributes

InstallPath
svchost.exe
gencode
4XPrawLvdpZr
install
true
offline_keylogger
true
persistence
false
reg_key
��

Targets

- Target
  
  5ab49a8cbeef6d8e5d3d4261500db2f777184b62336fdf0c293f3d0205e2d983
- Size
  
  699KB
- MD5
  
  d89d42c4b35422d886920d2e299f75c3
- SHA1
  
  8199dbef1e1a6e016f535ae2e464b0c9d52d8000
- SHA256
  
  5ab49a8cbeef6d8e5d3d4261500db2f777184b62336fdf0c293f3d0205e2d983
- SHA512
  
  95e10b82bb60810b34ae3a26e839f7f0964eea43d3351784892dc2e15e2c56f4183c3afafcbbb589b0b62f0bd892a22f1b58627a7754b17834e96319ed8e8752
- SSDEEP
  
  12288:TmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFr9HMeF:TBIGkbxqEcjsWiDxguehC2Swj
Score

10^/10

darkcomet neshta guest16 persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Detect Neshta payload
- Modifies WinLogon for persistence
  persistence
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Change Default File Association

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

neshtadarkcomet

behavioral1

darkcometneshtaguest16persistenceratspywarestealertrojan

behavioral2

darkcometneshtaguest16persistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy