darkcomet | 86c3c7f8c4ef254f6f11f41b3f02994b26ac9158cbd2be948d5441e1a103aa3f | Triage

Submit
Reports

Overview

overview

Static

static

86c3c7f8c4...3f.exe

windows7-x64

86c3c7f8c4...3f.exe

windows10-2004-x64

Sharing

General

Target

86c3c7f8c4ef254f6f11f41b3f02994b26ac9158cbd2be948d5441e1a103aa3f
Size

606KB
Sample

221205-cjhzwsfc63
MD5

428a73f481be105145733d13fef11786
SHA1

3a3eaf458ae395154af786608dcc20db30199967
SHA256

86c3c7f8c4ef254f6f11f41b3f02994b26ac9158cbd2be948d5441e1a103aa3f
SHA512

9c5ff99598f7bf20dd8b6272f4ab7ac9a7a1e0eb4d96e4899b397bb06b7e40777861dde18f54ea9316b4357a5745299615df3929308e938743b176111ac69b1f
SSDEEP

12288:aAM0fXSeLv7dC7WIUCjHaySJcRyz5VfAERUcjBVhAW6bJxg1Y:VhWXjHuZxjtX6

Score

10^/10

darkcomet hf evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

86c3c7f8c4ef254f6f11f41b3f02994b26ac9158cbd2be948d5441e1a103aa3f.exe

Resource

win7-20221111-en

darkcomet hf evasion persistence rat trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

86c3c7f8c4ef254f6f11f41b3f02994b26ac9158cbd2be948d5441e1a103aa3f.exe

Resource

win10v2004-20220812-en

darkcomet hf persistence rat trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

abdelkader1313.no-ip.org:81

Mutex

DC_MUTEX-4SWSAXQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
PxBmf9ltGMpH
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  86c3c7f8c4ef254f6f11f41b3f02994b26ac9158cbd2be948d5441e1a103aa3f
- Size
  
  606KB
- MD5
  
  428a73f481be105145733d13fef11786
- SHA1
  
  3a3eaf458ae395154af786608dcc20db30199967
- SHA256
  
  86c3c7f8c4ef254f6f11f41b3f02994b26ac9158cbd2be948d5441e1a103aa3f
- SHA512
  
  9c5ff99598f7bf20dd8b6272f4ab7ac9a7a1e0eb4d96e4899b397bb06b7e40777861dde18f54ea9316b4357a5745299615df3929308e938743b176111ac69b1f
- SSDEEP
  
  12288:aAM0fXSeLv7dC7WIUCjHaySJcRyz5VfAERUcjBVhAW6bJxg1Y:VhWXjHuZxjtX6
Score

10^/10

darkcomet hf evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcomethfevasionpersistencerattrojanupx

behavioral2

darkcomethfpersistencerattrojanupx

© 2018-2024

Terms | Privacy