darkcomet | 53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd | Triage

Submit
Reports

Overview

overview

Static

static

5

53378d1cdf...cd.exe

windows7-x64

53378d1cdf...cd.exe

windows10-2004-x64

Sharing

General

Target

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd
Size

2.5MB
Sample

230129-ve5xzaec76
MD5

b85bd40c70b5913df16cac41feae9949
SHA1

88139dbe95928614ab375ef0e3257a925dff0bb7
SHA256

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd
SHA512

4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d
SSDEEP

49152:7JZoQrbTFZY1iaJag33A46NOBLtCaW/sXdkWQe9D+nwOWYcu2I7RTp/PwWUlLmY6:7trbTA19as3l8OBL+I7D+nwcP3tY6

Score

10^/10

darkcomet victime evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

Resource

win7-20220812-en

darkcomet victime evasion persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd.exe

Resource

win10v2004-20220901-en

darkcomet victime evasion persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

C2

shytoos.ddns.net:1604

Mutex

DC_MUTEX-Z8X4H3R

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JJ52hfcLdTnD
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd
- Size
  
  2.5MB
- MD5
  
  b85bd40c70b5913df16cac41feae9949
- SHA1
  
  88139dbe95928614ab375ef0e3257a925dff0bb7
- SHA256
  
  53378d1cdf29ba3d6281f32d4a787402c750cb60b207565a74f426922a451ccd
- SHA512
  
  4c57449a1afe32959c5b9760ad065392e4e0b29f3f2323202b4649393a764b71dff03af9aa02a7154f0c24e1855b97eb1b32994aa2b692f0844bd29a1d63535d
- SSDEEP
  
  49152:7JZoQrbTFZY1iaJag33A46NOBLtCaW/sXdkWQe9D+nwOWYcu2I7RTp/PwWUlLmY6:7trbTA19as3l8OBL+I7D+nwcP3tY6
Score

10^/10

darkcomet victime evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometvictimeevasionpersistencerattrojan

behavioral2

darkcometvictimeevasionpersistencerattrojan

© 2018-2024

Terms | Privacy