darkcomet | 70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11 | Triage

Sharing

General

Target

PO21019612.exe
Size

2.0MB
Sample

230314-jwh9raec43
MD5

72729cee30402c13712d1522aef2974b
SHA1

5e24a49c70260a8cb42469dc41bb6b5f2557ec50
SHA256

70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
SHA512

16aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
SSDEEP

49152:FXQBFvAF1FMSNqZVIx9RcRK1HsWYnowZm:FeFIFCG9RcRK2Pntm

Score

10^/10

darkcomet nanocore march 2023 evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

MARCH 2023

C2

mjosh6995.ddns.net:1754

Mutex

DC_MUTEX-D2P1SDG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
vlwkQZyi3NSt
install
true
offline_keylogger
true
persistence
true
reg_key
chrome

Extracted

Family

nanocore

Version

1.2.2.0

C2

mjosh6995.ddns.net:2023

lisajennyjohn.ddns.net:2023

Mutex

a7795112-1a95-404c-bdfa-d35dc6f40a46

Attributes

activate_away_mode
false
backup_connection_host
lisajennyjohn.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-12-22T21:54:57.028602236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2023
default_group
MARCH 2023
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
a7795112-1a95-404c-bdfa-d35dc6f40a46
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mjosh6995.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  PO21019612.exe
- Size
  
  2.0MB
- MD5
  
  72729cee30402c13712d1522aef2974b
- SHA1
  
  5e24a49c70260a8cb42469dc41bb6b5f2557ec50
- SHA256
  
  70cc71ce250a4ec732a59e30adf100878e93d8f7afd4a923628314b9b0e2dc11
- SHA512
  
  16aaeabd94bec9ec836dbdf3efc4373adced6605be74641d694a5795b8c0502377de339e85d7bad058fe100a984dab97f53ac45270c325b7443f3a153c6b0178
- SSDEEP
  
  49152:FXQBFvAF1FMSNqZVIx9RcRK1HsWYnowZm:FeFIFCG9RcRK2Pntm
Score

10^/10

darkcomet nanocore march 2023 evasion keylogger persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Windows security bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometnanocoremarch 2023evasionkeyloggerpersistenceratspywarestealertrojan

behavioral2

darkcometnanocoremarch 2023evasionkeyloggerpersistenceratspywarestealertrojan