darkcomet | 6ff88fc070118d3dbffb5c1b7cf3a328d1d82f741418038d974f4406d8c1a93b | Triage

Submit
Reports

Overview

overview

Static

static

9ef45e8fc3...4e.exe

windows7-x64

9ef45e8fc3...4e.exe

windows10-2004-x64

Sharing

General

Target

49f227f4711ee473da73cefa669d6e0e.bin
Size

390KB
Sample

230412-cn82waaf21
MD5

6a61e5763fb6af2d96578a1857ca0f18
SHA1

9c712ad595105e9b91eac07e4718324d782914c0
SHA256

6ff88fc070118d3dbffb5c1b7cf3a328d1d82f741418038d974f4406d8c1a93b
SHA512

12001dc3d62a9a68bea8124a6016b2335523dd9eab34c4b2ad7f046800193177ce13da3bbf572cff4a66a1285d862f5f19ec4fdb382e809664611fc16036a5e5
SSDEEP

6144:Lj2pLh3Im6X0czptvJSMEmCtAMVJxCQSjxtmxuVUwnxyBFTX5MKn4wqbZr09:qam4nGtbVGJ7xVxnxyTXpn4nbZI9

Score

10^/10

darkcomet evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

Resource

win7-20230220-en

darkcomet persistence rat trojan

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

Resource

win10v2004-20230221-en

darkcomet evasion persistence rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
- Size
  
  821KB
- MD5
  
  49f227f4711ee473da73cefa669d6e0e
- SHA1
  
  5af5186ee656020ee301c48dd92b9720d3ccf4ad
- SHA256
  
  9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e
- SHA512
  
  63abcd3ef56ecfa80fed804c7993a0e54ab9d0fdf7bd15c5379f6e16ccd56f230edcb0d6c559cd837a892ff50b4944aaaec9bf95a253460352dbb14fbbb7249f
- SSDEEP
  
  12288:TFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJ:h3nbWmJVJFwSddIXvfhqbiaxvRxq9
Score

10^/10

darkcomet persistence rat trojan evasion
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometpersistencerattrojan

behavioral2

darkcometevasionpersistencerattrojan

© 2018-2024

Terms | Privacy