darkcomet | 87ed3f85134bd69e592ac795ac03f8236f6c27ce2fe66b5d76711b2f70e3f36c | Triage

Submit
Reports

Overview

overview

Static

static

87ed3f8513...6c.exe

windows7-x64

87ed3f8513...6c.exe

windows10-2004-x64

Sharing

General

Target

87ed3f85134bd69e592ac795ac03f8236f6c27ce2fe66b5d76711b2f70e3f36c
Size

251KB
Sample

230408-hwm29scc23
MD5

774eea43d81ca517ca178775e01932a5
SHA1

250dd4f6cb21fae98e60987fa4e3aedbb8b9e1da
SHA256

87ed3f85134bd69e592ac795ac03f8236f6c27ce2fe66b5d76711b2f70e3f36c
SHA512

00d51a872413ddeee7ae00b4e4c079d7345d0a09a4b3dd6a31de65121de164f87c3ae99d9a04832c72df18055120dcbd47d3b0ad3179a5ab3d0174a84773c884
SSDEEP

6144:7cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:7cW7KEZlPzCy37

Score

10^/10

darkcomet xoux evasion persistence rat trojan upx

Static task

static1

upx xoux darkcomet

2 signatures

Behavioral task

behavioral1

Sample

87ed3f85134bd69e592ac795ac03f8236f6c27ce2fe66b5d76711b2f70e3f36c.exe

Resource

win7-20230220-en

darkcomet xoux evasion persistence rat trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

87ed3f85134bd69e592ac795ac03f8236f6c27ce2fe66b5d76711b2f70e3f36c.exe

Resource

win10v2004-20230220-en

darkcomet xoux evasion persistence rat trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

xoux

C2

rb-scripts.ddns.net:1604

192.168.1.64:1604

Mutex

DC_MUTEX-TQ1YJBX

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uMkCruJ6lH8w
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  87ed3f85134bd69e592ac795ac03f8236f6c27ce2fe66b5d76711b2f70e3f36c
- Size
  
  251KB
- MD5
  
  774eea43d81ca517ca178775e01932a5
- SHA1
  
  250dd4f6cb21fae98e60987fa4e3aedbb8b9e1da
- SHA256
  
  87ed3f85134bd69e592ac795ac03f8236f6c27ce2fe66b5d76711b2f70e3f36c
- SHA512
  
  00d51a872413ddeee7ae00b4e4c079d7345d0a09a4b3dd6a31de65121de164f87c3ae99d9a04832c72df18055120dcbd47d3b0ad3179a5ab3d0174a84773c884
- SSDEEP
  
  6144:7cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:7cW7KEZlPzCy37
Score

10^/10

darkcomet xoux evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

upxxouxdarkcomet

behavioral1

darkcometxouxevasionpersistencerattrojanupx

behavioral2

darkcometxouxevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy