darkcomet

General

Target

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504
Size

742KB
Sample

221203-dg1mlace7y
MD5

3d9fb784d8bad35e1fc6f114092b0e61
SHA1

21950040713e37949c80b75e4c15fa6163ef67b2
SHA256

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504
SHA512

9c80a51a0849195f6cac34a8cba53229d05a900d29ba8a327418d5502ee559485b8b1637f07be43404fe737f29a669412e11ffd329b210f04ebd040493230f85
SSDEEP

12288:J08Xr7FoMtKhx92E7eosUsF4hxekb7NKiMRFhoE3KK1:m8b7FoGKX8KeosUO4hwktKbhou/1

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

188.190.86.62:1604

Mutex

DC_MUTEX-W0U2X3G

Attributes

gencode
ApppNhBV8t9f
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504
- Size
  
  742KB
- MD5
  
  3d9fb784d8bad35e1fc6f114092b0e61
- SHA1
  
  21950040713e37949c80b75e4c15fa6163ef67b2
- SHA256
  
  9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504
- SHA512
  
  9c80a51a0849195f6cac34a8cba53229d05a900d29ba8a327418d5502ee559485b8b1637f07be43404fe737f29a669412e11ffd329b210f04ebd040493230f85
- SSDEEP
  
  12288:J08Xr7FoMtKhx92E7eosUsF4hxekb7NKiMRFhoE3KK1:m8b7FoGKX8KeosUO4hwktKbhou/1
Score

10^/10

darkcomet guest16 discovery rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of web browsers

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2