darkcomet | 97ad9e7a86e36a1399c2c4ce15294c68d646ff967344aa98434a243b8a798969 | Triage

Submit
Reports

Overview

overview

Static

static

1

Disney__0.exe

windows10-2004-x64

Resubmissions

20-04-2023 22:43

230420-2njjnacg43 10

20-04-2023 22:32

230420-2f4vmacf85 10

Sharing

General

Target

Disney__0.exe
Size

676KB
Sample

230420-2njjnacg43
MD5

5998172af0276011ebfc07704342874a
SHA1

b4cf3782e372ea9c43a26492f9b70836b822bfea
SHA256

97ad9e7a86e36a1399c2c4ce15294c68d646ff967344aa98434a243b8a798969
SHA512

b402cb2b942ad31232b4641b2bec0863474a5cbaa74a0707f8ce80fce86a4be77c321d99dbf6a896a8daad0b87b925fc71b32315c4922286e0cb931654bf1cb3
SSDEEP

12288:OZBwNKjIStIWhW6p5bu9TlLfUTdwq1TfrBm:Mj/phW6vbuhZUTd3m

Score

10^/10

darkcomet nanocore idman evasion keylogger persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Disney__0.exe

Resource

win10v2004-20230220-it

darkcomet nanocore idman evasion keylogger persistence rat spyware stealer trojan

windows10-2004-x64

35 signatures

1800 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

IDMAN

C2

arrivals.ddns.net:2323

Mutex

DC_MUTEX-391X2ZJ

Attributes

InstallPath
MSDCSC\IDMAN.exe
gencode
CUWbhGwmWBMb
install
true
offline_keylogger
true
persistence
true
reg_key
IDMAN

Targets

- Target
  
  Disney__0.exe
- Size
  
  676KB
- MD5
  
  5998172af0276011ebfc07704342874a
- SHA1
  
  b4cf3782e372ea9c43a26492f9b70836b822bfea
- SHA256
  
  97ad9e7a86e36a1399c2c4ce15294c68d646ff967344aa98434a243b8a798969
- SHA512
  
  b402cb2b942ad31232b4641b2bec0863474a5cbaa74a0707f8ce80fce86a4be77c321d99dbf6a896a8daad0b87b925fc71b32315c4922286e0cb931654bf1cb3
- SSDEEP
  
  12288:OZBwNKjIStIWhW6p5bu9TlLfUTdwq1TfrBm:Mj/phW6vbuhZUTd3m
Score

10^/10

darkcomet nanocore idman evasion keylogger persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

darkcometnanocoreidmanevasionkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy