darkcomet | bed715e3b6e26f4fec9c7082aac2394bc7257e2f7469ac22d76eab505de457e0 | Triage

Submit
Reports

Overview

overview

Static

static

bed715e3b6...e0.exe

windows7-x64

bed715e3b6...e0.exe

windows10-2004-x64

Sharing

General

Target

bed715e3b6e26f4fec9c7082aac2394bc7257e2f7469ac22d76eab505de457e0
Size

525KB
Sample

221202-snqhjahh74
MD5

c4c0fee2c7cdf9a44a59f059d6a8803e
SHA1

2562b366ab1188c40d12c3e2f6bca0b9099ca894
SHA256

bed715e3b6e26f4fec9c7082aac2394bc7257e2f7469ac22d76eab505de457e0
SHA512

19f26119f54b9d119c6b95585a5e77d5db686a82a752d26c7bebcff09d17f5f516e0f48f6b07dfc3833a762a212a68d46d12c7c0739387cfafaa94130cf2d0cf
SSDEEP

12288:1f6dZ7vMihuWr7q25JiJ35Ph26p+opTn8SU+G1Dd8/aGrHCP:J6dKiJSg2++BU+QBD

Score

10^/10

darkcomet t-unique evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

bed715e3b6e26f4fec9c7082aac2394bc7257e2f7469ac22d76eab505de457e0.exe

Resource

win7-20220901-en

darkcomet t-unique evasion persistence rat trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

bed715e3b6e26f4fec9c7082aac2394bc7257e2f7469ac22d76eab505de457e0.exe

Resource

win10v2004-20220812-en

darkcomet t-unique evasion persistence rat trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

T-Unique

C2

192.168.1.36:43594

Mutex

DC_MUTEX-XGYFVZD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
40fNn9l6Rkkp
install
true
offline_keylogger
true
persistence
true
reg_key
MicrosoftUpdate

Targets

- Target
  
  bed715e3b6e26f4fec9c7082aac2394bc7257e2f7469ac22d76eab505de457e0
- Size
  
  525KB
- MD5
  
  c4c0fee2c7cdf9a44a59f059d6a8803e
- SHA1
  
  2562b366ab1188c40d12c3e2f6bca0b9099ca894
- SHA256
  
  bed715e3b6e26f4fec9c7082aac2394bc7257e2f7469ac22d76eab505de457e0
- SHA512
  
  19f26119f54b9d119c6b95585a5e77d5db686a82a752d26c7bebcff09d17f5f516e0f48f6b07dfc3833a762a212a68d46d12c7c0739387cfafaa94130cf2d0cf
- SSDEEP
  
  12288:1f6dZ7vMihuWr7q25JiJ35Ph26p+opTn8SU+G1Dd8/aGrHCP:J6dKiJSg2++BU+QBD
Score

10^/10

darkcomet t-unique evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomett-uniqueevasionpersistencerattrojanupx

behavioral2

darkcomett-uniqueevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy