darkcomet | b5737014d300186ca713d316bc40eb68b58e352115c9802c6c5e890e52e0a4a9 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

b5737014d300186ca713d316bc40eb68b58e352115c9802c6c5e890e52e0a4a9
Size

710KB
Sample

221129-nssfgahe91
MD5

595becf1d1d0c217789aba1454b53a19
SHA1

1ba98c8da8b056b77bbde295da566717fd204c03
SHA256

b5737014d300186ca713d316bc40eb68b58e352115c9802c6c5e890e52e0a4a9
SHA512

372f68eaf027af6737b3d1d3d09bec98dc445604b29c0d7c8c52d33ffd3246785f99b89954f5f00ab50a87d5c078b7fdb381abb6505c81223751754c602e9d99
SSDEEP

12288:Z7w+F1Rk4uUAH2V21W99ceY6BIhL6AKOsO2DUP6ve/uWeWwMi+cBtJnWBQIQElP4:hw+FjkaAH2V21W99Y6BIhL65ZvDUP6v6

Score

10^/10

darkcomet victim evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

C2

hackersanonymous.no-ip.biz:88

Mutex

DC_MUTEX-TJCNQBL

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
8Ql0CztaQlhn
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  b5737014d300186ca713d316bc40eb68b58e352115c9802c6c5e890e52e0a4a9
- Size
  
  710KB
- MD5
  
  595becf1d1d0c217789aba1454b53a19
- SHA1
  
  1ba98c8da8b056b77bbde295da566717fd204c03
- SHA256
  
  b5737014d300186ca713d316bc40eb68b58e352115c9802c6c5e890e52e0a4a9
- SHA512
  
  372f68eaf027af6737b3d1d3d09bec98dc445604b29c0d7c8c52d33ffd3246785f99b89954f5f00ab50a87d5c078b7fdb381abb6505c81223751754c602e9d99
- SSDEEP
  
  12288:Z7w+F1Rk4uUAH2V21W99ceY6BIhL6AKOsO2DUP6ve/uWeWwMi+cBtJnWBQIQElP4:hw+FjkaAH2V21W99Y6BIhL65ZvDUP6v6
Score

10^/10

darkcomet victim evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometvictimevasionpersistencerattrojan

behavioral2

darkcometvictimevasionpersistencerattrojan