darkcomet | daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1 | Triage

Sharing

General

Target

daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1
Size

1.2MB
Sample

221203-eefebacc22
MD5

2d1552fc4d7061d7ff2d0bb329f93e70
SHA1

cda6295ea30076e323b49405be0e61319d037e69
SHA256

daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1
SHA512

b544a1cdaa9ab1a30ba5f888ecdec0c4336ff7abde5b60ec0080c4ef9ed86d1902ee752f2e46fa7b6182a4ace735905ac3aa0c716ea38a1f7610736b531643b9
SSDEEP

12288:RjFPs8PRJ7xEhU4X2EV+luiIPBLX8eI+LchMP+8uQBiJSKfK5tjZAp6q8g/6PmSJ:nZrAIIMqhPZ5IZGZcUYw62mY

Score

10^/10

darkcomet zombk evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

zombk

C2

zombk.no-ip.org:1500

127.0.0.1:1500

192.168.1.43:1500

Mutex

DC_MUTEX-DR20D9S

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2hEkSK4e2CCs
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1
- Size
  
  1.2MB
- MD5
  
  2d1552fc4d7061d7ff2d0bb329f93e70
- SHA1
  
  cda6295ea30076e323b49405be0e61319d037e69
- SHA256
  
  daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1
- SHA512
  
  b544a1cdaa9ab1a30ba5f888ecdec0c4336ff7abde5b60ec0080c4ef9ed86d1902ee752f2e46fa7b6182a4ace735905ac3aa0c716ea38a1f7610736b531643b9
- SSDEEP
  
  12288:RjFPs8PRJ7xEhU4X2EV+luiIPBLX8eI+LchMP+8uQBiJSKfK5tjZAp6q8g/6PmSJ:nZrAIIMqhPZ5IZGZcUYw62mY
Score

10^/10

darkcomet zombk evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometzombkevasionpersistencerattrojan

behavioral2

darkcometzombkevasionpersistencerattrojan