darkcomet | 560d6bb6ba9ae2cb68d4126425e062d9dfbcb015b584b249e068a8be2e90e55c | Triage

Submit
Reports

Overview

overview

Static

static

899837875a...JC.exe

windows7-x64

899837875a...JC.exe

windows10-2004-x64

Sharing

General

Target

899837875a8518ca77e909aea58a5670exe_JC.exe
Size

283KB
Sample

230916-v1emxacb4z
MD5

899837875a8518ca77e909aea58a5670
SHA1

3f756582937017f84691bc0c76895a2e51052c12
SHA256

560d6bb6ba9ae2cb68d4126425e062d9dfbcb015b584b249e068a8be2e90e55c
SHA512

4be644fcbb9e1fe3eea7b63d1d1b5d8450a44fcdf996dfc5f69e7c921ba48fbc33d015bfa8c3cc7db8145bbaa9ec7d501ea65b255ae21c78dcbc4938cbeccdaa
SSDEEP

6144:scNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PIhp8T:scWkbgTYWnYnt/IDYhPMp8T

Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx

Static task

static1

upx guest16 darkcomet

3 signatures

Behavioral task

behavioral1

Sample

899837875a8518ca77e909aea58a5670exe_JC.exe

Resource

win7-20230831-en

darkcomet guest16 evasion persistence rat trojan upx

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

899837875a8518ca77e909aea58a5670exe_JC.exe

Resource

win10v2004-20230915-en

darkcomet guest16 evasion persistence rat trojan upx

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

193.107.72.82:1604

cs-gocheats.ddns.net:1604

cs-gocheats.ddns.net:81

192.168.88.200:81

192.168.88.200:1604

Mutex

DC_MUTEX-J4EMRRZ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
SeZXiGzTJYBx
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  899837875a8518ca77e909aea58a5670exe_JC.exe
- Size
  
  283KB
- MD5
  
  899837875a8518ca77e909aea58a5670
- SHA1
  
  3f756582937017f84691bc0c76895a2e51052c12
- SHA256
  
  560d6bb6ba9ae2cb68d4126425e062d9dfbcb015b584b249e068a8be2e90e55c
- SHA512
  
  4be644fcbb9e1fe3eea7b63d1d1b5d8450a44fcdf996dfc5f69e7c921ba48fbc33d015bfa8c3cc7db8145bbaa9ec7d501ea65b255ae21c78dcbc4938cbeccdaa
- SSDEEP
  
  6144:scNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PIhp8T:scWkbgTYWnYnt/IDYhPMp8T
Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

upxguest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojanupx

behavioral2

darkcometguest16evasionpersistencerattrojanupx

© 2018-2023

Terms | Privacy