darkcomet | c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff | Triage

Submit
Reports

Overview

overview

Static

static

c76dc27b6f...ff.exe

windows7-x64

c76dc27b6f...ff.exe

windows10-2004-x64

Sharing

General

Target

c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
Size

377KB
Sample

221203-fx1cwage59
MD5

a1f0d356df081f4cde159183f402ee93
SHA1

3c71aedd2eda2d572fd0cb575fa13e7e74b6cefd
SHA256

c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
SHA512

47442e3b227fde91498ac2096d6eda15b65817c0a9cd192cf787eccadd67973e87c1d8d9b47812e812e03ec74548b998173f25fc255fb8c97631ac5cbd70a833
SSDEEP

6144:GxL3BJrfJXTGhbR1OJguwMNNvyGAcE0njDs9Eoej+4+bnjb3PZAizgk9:urTfkNF3aNvyGAhE09yKdjjDZxp

Score

10^/10

darkcomet hf evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff.exe

Resource

win7-20221111-en

darkcomet hf evasion persistence rat trojan upx

windows7-x64

23 signatures

150 seconds

Behavioral task

behavioral2

Sample

c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff.exe

Resource

win10v2004-20221111-en

darkcomet hf evasion persistence rat trojan upx

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

safethinking.zapto.org:1604

Mutex

DC_MUTEX-F0NJMAE

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
JGGiVLcb5Yzq
install
true
offline_keylogger
true
persistence
true
reg_key
svchost

Targets

- Target
  
  c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
- Size
  
  377KB
- MD5
  
  a1f0d356df081f4cde159183f402ee93
- SHA1
  
  3c71aedd2eda2d572fd0cb575fa13e7e74b6cefd
- SHA256
  
  c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
- SHA512
  
  47442e3b227fde91498ac2096d6eda15b65817c0a9cd192cf787eccadd67973e87c1d8d9b47812e812e03ec74548b998173f25fc255fb8c97631ac5cbd70a833
- SSDEEP
  
  6144:GxL3BJrfJXTGhbR1OJguwMNNvyGAcE0njDs9Eoej+4+bnjb3PZAizgk9:urTfkNF3aNvyGAhE09yKdjjDZxp
Score

10^/10

darkcomet hf evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomethfevasionpersistencerattrojanupx

behavioral2

darkcomethfevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy