darkcomet | 9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697 | Triage

Submit
Reports

Overview

overview

Static

static

9315cd0bb5...97.exe

windows7-x64

9315cd0bb5...97.exe

windows10-2004-x64

Sharing

General

Target

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697
Size

341KB
Sample

221201-az78lshf69
MD5

6229ca5be4d9928440b3d842950f5346
SHA1

f3653d00a8a870a0437d18f3a4441ede275cbbf0
SHA256

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697
SHA512

4607bac5b368fbe660ed6e3d3f572951f0d16b6401ba1dd791244ccf73ab15f169b073cdeb70f8bcbc289208bbde17ce96506195683a2566646dcbef498e91bc
SSDEEP

6144:Q8XdZ0iRwHoMg8HuRLp5RdHCmP2nwoQKnsv1ieNlBF:bfwIYuRLplCmPswo/sv1ieNlBF

Score

10^/10

darkcomet csrss evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

Resource

win7-20220812-en

darkcomet csrss evasion persistence rat trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

Resource

win10v2004-20220812-en

darkcomet csrss evasion persistence rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

csrss

C2

armyk.no-ip.org:82

Mutex

DC_MUTEX-VS1TED3

Attributes

InstallPath
wuauclt.exe
gencode
MKcgY6l5UWgn
install
true
offline_keylogger
true
persistence
true
reg_key
Windows Update

Targets

- Target
  
  9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697
- Size
  
  341KB
- MD5
  
  6229ca5be4d9928440b3d842950f5346
- SHA1
  
  f3653d00a8a870a0437d18f3a4441ede275cbbf0
- SHA256
  
  9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697
- SHA512
  
  4607bac5b368fbe660ed6e3d3f572951f0d16b6401ba1dd791244ccf73ab15f169b073cdeb70f8bcbc289208bbde17ce96506195683a2566646dcbef498e91bc
- SSDEEP
  
  6144:Q8XdZ0iRwHoMg8HuRLp5RdHCmP2nwoQKnsv1ieNlBF:bfwIYuRLplCmPswo/sv1ieNlBF
Score

10^/10

darkcomet csrss evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometcsrssevasionpersistencerattrojanupx

behavioral2

darkcometcsrssevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy