darkcomet | 5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2 | Triage

Submit
Reports

Overview

overview

Static

static

5c85bfa433...b2.exe

windows7-x64

5c85bfa433...b2.exe

windows10-2004-x64

Sharing

General

Target

5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2
Size

772KB
Sample

221129-svysgsca66
MD5

47a3df044a495ed7c6ba76c035a5551d
SHA1

0793db2a77213074fd9b0d494dad66b1368186ba
SHA256

5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2
SHA512

7f791219154d97fba2e3d48541f877bb6ee1bd64dc6f63a9ef238cd1161e84994eef85632206d7ccdc0034bd2cb54fcecfdfd4120dc9f79a8b5a26e1cae17617
SSDEEP

12288:cf2GiGMBHqhYOJONtMCesfXlKXeR6z6MMRlcT9cYYIJj0j0zpggnT:/GQFQgkC1PMzIlcZdYIJj0qdT

Score

10^/10

darkcomet 13.07.12 crypter persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe

Resource

win7-20220812-en

darkcomet 13.07.12 crypter persistence rat trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2.exe

Resource

win10v2004-20220812-en

darkcomet 13.07.12 crypter persistence rat trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

13.07.12 Crypter

C2

leetaka1337.no-ip.org:1604

Mutex

DC_MUTEX-JFX5RP1

Attributes

InstallPath
MSDCSC\winhost.exe
gencode
lCnq6VNbar2M
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2
- Size
  
  772KB
- MD5
  
  47a3df044a495ed7c6ba76c035a5551d
- SHA1
  
  0793db2a77213074fd9b0d494dad66b1368186ba
- SHA256
  
  5c85bfa433b776f2505d65d140c16fcf90b4910546b59324f7501272584619b2
- SHA512
  
  7f791219154d97fba2e3d48541f877bb6ee1bd64dc6f63a9ef238cd1161e84994eef85632206d7ccdc0034bd2cb54fcecfdfd4120dc9f79a8b5a26e1cae17617
- SSDEEP
  
  12288:cf2GiGMBHqhYOJONtMCesfXlKXeR6z6MMRlcT9cYYIJj0j0zpggnT:/GQFQgkC1PMzIlcZdYIJj0qdT
Score

10^/10

darkcomet 13.07.12 crypter persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomet13.07.12 crypterpersistencerattrojanupx

behavioral2

darkcomet13.07.12 crypterpersistencerattrojanupx

© 2018-2024

Terms | Privacy