darkcomet | 81ba1230c4e8964a7cea64012eb8eb22d0f5e13ea041f9a1300b62220a80c348 | Triage

Submit
Reports

Overview

overview

Static

static

81ba1230c4...48.exe

windows7-x64

81ba1230c4...48.exe

windows10-2004-x64

Sharing

General

Target

81ba1230c4e8964a7cea64012eb8eb22d0f5e13ea041f9a1300b62220a80c348
Size

647KB
Sample

221201-lzzr1sgb57
MD5

93572b16175cbad5d5f84a94ffe3a92e
SHA1

63cd63ca8af639b3f06747b652ae46fcae0c24c0
SHA256

81ba1230c4e8964a7cea64012eb8eb22d0f5e13ea041f9a1300b62220a80c348
SHA512

1f1c2e2d52f05b14430d7ea9aa44fd400bab52ce9982cba3b0035921d348107c9e1051c856a7f3a0c9bd9d68a793ef5dac563c9446355b189e4e3ed0a57ffebf
SSDEEP

12288:Q8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixL:JUKoN0bUxgGa/pfBHDb+y1HgZl

Score

10^/10

darkcomet evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

81ba1230c4e8964a7cea64012eb8eb22d0f5e13ea041f9a1300b62220a80c348.exe

Resource

win7-20220901-en

darkcomet evasion persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

81ba1230c4e8964a7cea64012eb8eb22d0f5e13ea041f9a1300b62220a80c348.exe

Resource

win10v2004-20221111-en

darkcomet evasion persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  81ba1230c4e8964a7cea64012eb8eb22d0f5e13ea041f9a1300b62220a80c348
- Size
  
  647KB
- MD5
  
  93572b16175cbad5d5f84a94ffe3a92e
- SHA1
  
  63cd63ca8af639b3f06747b652ae46fcae0c24c0
- SHA256
  
  81ba1230c4e8964a7cea64012eb8eb22d0f5e13ea041f9a1300b62220a80c348
- SHA512
  
  1f1c2e2d52f05b14430d7ea9aa44fd400bab52ce9982cba3b0035921d348107c9e1051c856a7f3a0c9bd9d68a793ef5dac563c9446355b189e4e3ed0a57ffebf
- SSDEEP
  
  12288:Q8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixL:JUKoN0bUxgGa/pfBHDb+y1HgZl
Score

10^/10

darkcomet evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometevasionpersistencerattrojan

behavioral2

darkcometevasionpersistencerattrojan

© 2018-2024

Terms | Privacy