darkcomet | aa9f58d66f9abf1a8ee8a0cdbf05a88643f725ddea30b52d65a4a70e3f854009 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

aa9f58d66f...09.exe

windows7-x64

aa9f58d66f...09.exe

windows10-2004-x64

Sharing

General

Target

aa9f58d66f9abf1a8ee8a0cdbf05a88643f725ddea30b52d65a4a70e3f854009
Size

659KB
Sample

221129-tgp4vsdd97
MD5

25c15339a4bc59109a702aea175a4278
SHA1

b7f42b8830b228e3af0210f7fea252430eaaefe3
SHA256

aa9f58d66f9abf1a8ee8a0cdbf05a88643f725ddea30b52d65a4a70e3f854009
SHA512

0a2fe3ae30b2fb1686d09bd0bd3ef0b90ba6292c4aeb83cd3a81a69f8bdaa61a583808d3212b5c5afe8e4a66acb0267ad893514c2b4a2106ac263c1ac9af3e26
SSDEEP

12288:h9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKg:XAQ6Zx9cxTmOrucTIEFSpOG1

Score

10^/10

darkcomet persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

aa9f58d66f9abf1a8ee8a0cdbf05a88643f725ddea30b52d65a4a70e3f854009.exe

Resource

win7-20221111-en

darkcomet persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

aa9f58d66f9abf1a8ee8a0cdbf05a88643f725ddea30b52d65a4a70e3f854009.exe

Resource

win10v2004-20221111-en

darkcomet persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  aa9f58d66f9abf1a8ee8a0cdbf05a88643f725ddea30b52d65a4a70e3f854009
- Size
  
  659KB
- MD5
  
  25c15339a4bc59109a702aea175a4278
- SHA1
  
  b7f42b8830b228e3af0210f7fea252430eaaefe3
- SHA256
  
  aa9f58d66f9abf1a8ee8a0cdbf05a88643f725ddea30b52d65a4a70e3f854009
- SHA512
  
  0a2fe3ae30b2fb1686d09bd0bd3ef0b90ba6292c4aeb83cd3a81a69f8bdaa61a583808d3212b5c5afe8e4a66acb0267ad893514c2b4a2106ac263c1ac9af3e26
- SSDEEP
  
  12288:h9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKg:XAQ6Zx9cxTmOrucTIEFSpOG1
Score

10^/10

darkcomet persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometpersistencerattrojan

behavioral2

darkcometpersistencerattrojan

© 2018-2025

Terms | Privacy