darkcomet | 8abea63ae718961fedbb03715ef8ae75a0692ce147d63022861b34f5a6b441ef | Triage

Submit
Reports

Overview

overview

Static

static

8abea63ae7...ef.exe

windows7-x64

8abea63ae7...ef.exe

windows10-2004-x64

Sharing

General

Target

8abea63ae718961fedbb03715ef8ae75a0692ce147d63022861b34f5a6b441ef
Size

1.5MB
Sample

221202-1wyg4shb83
MD5

5f5bb24ef830fbb5f551d5b38d60df97
SHA1

20e9f9002e049cd73a628a1448a853cbb84f4514
SHA256

8abea63ae718961fedbb03715ef8ae75a0692ce147d63022861b34f5a6b441ef
SHA512

d8f2b8ff8d053a3415706c280b6eca0ea4b5e258b17d62372521279e67d8a5a8ae85bfeaf59f69c8a983f4cf7a44018caa75eb832861da222794f6e288b72a18
SSDEEP

24576:rg3YT2QMW8gwS+LgKrROcuZEROM/2K4AyVQx1i/I4ESJJKaPRR6nAETVgLk0gQv:rg3YTr7u1fELK4Cx1r2JJhj6ApLLgQ

Score

10^/10

darkcomet adware persistence rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

8abea63ae718961fedbb03715ef8ae75a0692ce147d63022861b34f5a6b441ef.exe

Resource

win7-20220901-en

darkcomet persistence rat trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

8abea63ae718961fedbb03715ef8ae75a0692ce147d63022861b34f5a6b441ef.exe

Resource

win10v2004-20220812-en

darkcomet adware persistence rat stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  8abea63ae718961fedbb03715ef8ae75a0692ce147d63022861b34f5a6b441ef
- Size
  
  1.5MB
- MD5
  
  5f5bb24ef830fbb5f551d5b38d60df97
- SHA1
  
  20e9f9002e049cd73a628a1448a853cbb84f4514
- SHA256
  
  8abea63ae718961fedbb03715ef8ae75a0692ce147d63022861b34f5a6b441ef
- SHA512
  
  d8f2b8ff8d053a3415706c280b6eca0ea4b5e258b17d62372521279e67d8a5a8ae85bfeaf59f69c8a983f4cf7a44018caa75eb832861da222794f6e288b72a18
- SSDEEP
  
  24576:rg3YT2QMW8gwS+LgKrROcuZEROM/2K4AyVQx1i/I4ESJJKaPRR6nAETVgLk0gQv:rg3YTr7u1fELK4Cx1r2JJhj6ApLLgQ
Score

10^/10

darkcomet persistence rat trojan adware stealer
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometpersistencerattrojan

behavioral2

darkcometadwarepersistenceratstealertrojan

© 2018-2024

Terms | Privacy