darkcomet | a6f6ab5e7f05cbec8868a845a471f758e8f8498f6981fa287526bafcadd80f1f | Triage

Submit
Reports

Overview

overview

Static

static

Exploit.exe

windows7-x64

Sharing

General

Target

Exploit.exe
Size

796KB
Sample

230829-kwp8qsbe68
MD5

88544faee260aede61c03af6edd43236
SHA1

9b5a8fcd6961a832ee22317a9eac1699e3174fb4
SHA256

a6f6ab5e7f05cbec8868a845a471f758e8f8498f6981fa287526bafcadd80f1f
SHA512

09ea4923c401c81cc8800b4868c33ebf27a9ac603eb5703a778e329f87d40bbdef7edf4f8650894802a0279e639f647b556792a6dc856eb85d951eee4e80fcf5
SSDEEP

12288:orJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2b/9HFJ4:o1xuVVjfFoynPaVBUR8f+kN10EB41s

Score

10^/10

darkcomet neshta guest16 evasion persistence rat spyware stealer trojan

Static task

static1

neshta darkcomet

4 signatures

Behavioral task

behavioral1

Sample

Exploit.exe

Resource

win7-20230712-en

darkcomet neshta guest16 evasion persistence rat spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-0GMGVTE

Attributes

InstallPath
Java\msdcsc.exe
gencode
loY0Hi6SPKca
install
true
offline_keylogger
true
persistence
false
reg_key
Java_update

Targets

- Target
  
  Exploit.exe
- Size
  
  796KB
- MD5
  
  88544faee260aede61c03af6edd43236
- SHA1
  
  9b5a8fcd6961a832ee22317a9eac1699e3174fb4
- SHA256
  
  a6f6ab5e7f05cbec8868a845a471f758e8f8498f6981fa287526bafcadd80f1f
- SHA512
  
  09ea4923c401c81cc8800b4868c33ebf27a9ac603eb5703a778e329f87d40bbdef7edf4f8650894802a0279e639f647b556792a6dc856eb85d951eee4e80fcf5
- SSDEEP
  
  12288:orJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2b/9HFJ4:o1xuVVjfFoynPaVBUR8f+kN10EB41s
Score

10^/10

darkcomet neshta guest16 evasion persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Detect Neshta payload
- Modifies WinLogon for persistence
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

neshtadarkcomet

behavioral1

darkcometneshtaguest16evasionpersistenceratspywarestealertrojan

© 2018-2023

Terms | Privacy