darkcomet | 9bd407c77373ec66f798ade73998efcaab8b4f5cd8ccadb26ae9efd81d362b77 | Triage

Submit
Reports

Overview

overview

Static

static

9bd407c773...77.exe

windows7-x64

9bd407c773...77.exe

windows10-2004-x64

1

Sharing

General

Target

9bd407c77373ec66f798ade73998efcaab8b4f5cd8ccadb26ae9efd81d362b77
Size

416KB
Sample

221201-aw7gxahd44
MD5

c64445ea610f9f6dd341268ce5851357
SHA1

2ae1bd7236e343bd94aef8abcdeea88dbb824ed6
SHA256

9bd407c77373ec66f798ade73998efcaab8b4f5cd8ccadb26ae9efd81d362b77
SHA512

6019002b586470d1d53f0e8306b9dec82f4dee22188413b29683677119b8ee2b0d012e209108f1c5cf35996bdca9a4508c81ff140be8270fea6327739dbef703
SSDEEP

6144:bRFKlSlqxO5s+Mv2gbyzV/d5prKrLfvIe2Vlsyd/sLn5TG5B:KlSl2oIvHi/d5MMr5d/sLhG5B

Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

9bd407c77373ec66f798ade73998efcaab8b4f5cd8ccadb26ae9efd81d362b77.exe

Resource

win7-20220901-en

darkcomet guest16 evasion persistence rat trojan upx

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

9bd407c77373ec66f798ade73998efcaab8b4f5cd8ccadb26ae9efd81d362b77.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

1 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

waliu.no-ip.org:1604

Mutex

DC_MUTEX-NG6R1SJ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
fgSw505LKidg
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  9bd407c77373ec66f798ade73998efcaab8b4f5cd8ccadb26ae9efd81d362b77
- Size
  
  416KB
- MD5
  
  c64445ea610f9f6dd341268ce5851357
- SHA1
  
  2ae1bd7236e343bd94aef8abcdeea88dbb824ed6
- SHA256
  
  9bd407c77373ec66f798ade73998efcaab8b4f5cd8ccadb26ae9efd81d362b77
- SHA512
  
  6019002b586470d1d53f0e8306b9dec82f4dee22188413b29683677119b8ee2b0d012e209108f1c5cf35996bdca9a4508c81ff140be8270fea6327739dbef703
- SSDEEP
  
  6144:bRFKlSlqxO5s+Mv2gbyzV/d5prKrLfvIe2Vlsyd/sLn5TG5B:KlSl2oIvHi/d5MMr5d/sLhG5B
Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojanupx

behavioral2

© 2018-2024

Terms | Privacy