darkcomet | 6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb | Triage

Submit
Reports

Overview

overview

Static

static

6186ade7a5...bb.exe

windows7-x64

6186ade7a5...bb.exe

windows10-2004-x64

8

Sharing

General

Target

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb
Size

932KB
Sample

221202-zj2tbsce64
MD5

7e80342ffb90f453028d8606d219711c
SHA1

01994770e9fa0ed87157ae1f621c5d4e54fe2c72
SHA256

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb
SHA512

1e2b172c941583ed5ae395f34301e0d982d397a940d01b548e803c2533a6f289c81631543d5998b7e1b1162ab0e764cfd8f1e301c356bc9ae13b33a0c7dc4f29
SSDEEP

12288:lDKoo9n4dhg6XpkikDinEo4ccilYWkPLk8+IPfI7oRn6xXBIedJ/RRo:7OnWg6Z3k049WwLk8G7ol6dBIeM

Score

10^/10

darkcomet deupdate persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe

Resource

win7-20220812-en

darkcomet deupdate persistence rat trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb.exe

Resource

win10v2004-20220812-en

persistence upx

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

DEUPDATE

C2

xdarkx.zapto.org:1604

Mutex

DC_MUTEX-5HAFWPD

Attributes

gencode
h7Ba7QTpm8E6
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb
- Size
  
  932KB
- MD5
  
  7e80342ffb90f453028d8606d219711c
- SHA1
  
  01994770e9fa0ed87157ae1f621c5d4e54fe2c72
- SHA256
  
  6186ade7a5119083d12d73295f5d6e1247cfb1a23d5144dc7ff5eb4ff1be78bb
- SHA512
  
  1e2b172c941583ed5ae395f34301e0d982d397a940d01b548e803c2533a6f289c81631543d5998b7e1b1162ab0e764cfd8f1e301c356bc9ae13b33a0c7dc4f29
- SSDEEP
  
  12288:lDKoo9n4dhg6XpkikDinEo4ccilYWkPLk8+IPfI7oRn6xXBIedJ/RRo:7OnWg6Z3k049WwLk8G7ol6dBIeM
Score

10^/10

darkcomet deupdate persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometdeupdatepersistencerattrojanupx

behavioral2

© 2018-2024

Terms | Privacy