darkcomet | 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e | Triage

Submit
Reports

Overview

overview

Static

static

Foto Com Ela.exe

windows7-x64

Foto Com Ela.exe

windows10-2004-x64

Sharing

General

Target

Foto Com Ela.exe
Size

821KB
Sample

230410-qaf1tsbc2w
MD5

49f227f4711ee473da73cefa669d6e0e
SHA1

5af5186ee656020ee301c48dd92b9720d3ccf4ad
SHA256

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e
SHA512

63abcd3ef56ecfa80fed804c7993a0e54ab9d0fdf7bd15c5379f6e16ccd56f230edcb0d6c559cd837a892ff50b4944aaaec9bf95a253460352dbb14fbbb7249f
SSDEEP

12288:TFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJ:h3nbWmJVJFwSddIXvfhqbiaxvRxq9

Score

10^/10

darkcomet evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Foto Com Ela.exe

Resource

win7-20230220-en

darkcomet persistence rat trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

Foto Com Ela.exe

Resource

win10v2004-20230220-en

darkcomet evasion persistence rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  Foto Com Ela.exe
- Size
  
  821KB
- MD5
  
  49f227f4711ee473da73cefa669d6e0e
- SHA1
  
  5af5186ee656020ee301c48dd92b9720d3ccf4ad
- SHA256
  
  9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e
- SHA512
  
  63abcd3ef56ecfa80fed804c7993a0e54ab9d0fdf7bd15c5379f6e16ccd56f230edcb0d6c559cd837a892ff50b4944aaaec9bf95a253460352dbb14fbbb7249f
- SSDEEP
  
  12288:TFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJ:h3nbWmJVJFwSddIXvfhqbiaxvRxq9
Score

10^/10

darkcomet persistence rat trojan evasion
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometpersistencerattrojan

behavioral2

darkcometevasionpersistencerattrojan

© 2018-2024

Terms | Privacy