darkcomet | 9f5bbb4fc6f69e19a91cadcddcf1b2c4ffcf9f556fbaf855848ee84fa8610a47 | Triage

Submit
Reports

Overview

overview

Static

static

9f5bbb4fc6...47.exe

windows7-x64

1

9f5bbb4fc6...47.exe

windows10-2004-x64

Sharing

General

Target

9f5bbb4fc6f69e19a91cadcddcf1b2c4ffcf9f556fbaf855848ee84fa8610a47
Size

314KB
Sample

221130-hh37bsfc55
MD5

b885feb71421b4205b929d12fb69cdfe
SHA1

17fd2f3bee766a697c6d1fd30a29dedb38d90802
SHA256

9f5bbb4fc6f69e19a91cadcddcf1b2c4ffcf9f556fbaf855848ee84fa8610a47
SHA512

d9abd7fd4ef940afa2144bfb12ea62a1f251b56aadd26205c486d95e1f0a90430180167588222666978a626d0b37bec889cc9a8a1b0b54c12683640572c03f0f
SSDEEP

6144:fxL3BJf8bjtIT6XATveX9JbvJzM/hhPVhsBiR8PQL+mXA0H:5rH89I0DX/TJzM/hxVhsBiS4Bw+

Score

10^/10

darkcomet hf evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

9f5bbb4fc6f69e19a91cadcddcf1b2c4ffcf9f556fbaf855848ee84fa8610a47.exe

Resource

win7-20220812-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

9f5bbb4fc6f69e19a91cadcddcf1b2c4ffcf9f556fbaf855848ee84fa8610a47.exe

Resource

win10v2004-20221111-en

darkcomet hf evasion persistence rat trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

leonkerr.no-ip.org:18752

Mutex

DC_MUTEX-BDHL2WC

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
CA2SHRhHsuSa
install
true
offline_keylogger
true
password
s2dh2`t12
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  9f5bbb4fc6f69e19a91cadcddcf1b2c4ffcf9f556fbaf855848ee84fa8610a47
- Size
  
  314KB
- MD5
  
  b885feb71421b4205b929d12fb69cdfe
- SHA1
  
  17fd2f3bee766a697c6d1fd30a29dedb38d90802
- SHA256
  
  9f5bbb4fc6f69e19a91cadcddcf1b2c4ffcf9f556fbaf855848ee84fa8610a47
- SHA512
  
  d9abd7fd4ef940afa2144bfb12ea62a1f251b56aadd26205c486d95e1f0a90430180167588222666978a626d0b37bec889cc9a8a1b0b54c12683640572c03f0f
- SSDEEP
  
  6144:fxL3BJf8bjtIT6XATveX9JbvJzM/hhPVhsBiR8PQL+mXA0H:5rH89I0DX/TJzM/hxVhsBiS4Bw+
Score

10^/10

darkcomet hf evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

darkcomethfevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy