darkcomet | a9a7e4f65b15cbb5e6276488508e1c5d7c63590e2c73a584a413476fc8848d36 | Triage

Sharing

General

Target

Hack X1000 1.1.bin.zip
Size

340KB
Sample

231005-zwgc6ahd25
MD5

90299a8aa34ac24c015a395bb86f1383
SHA1

e0d45088e262ca821df70955fda9ea56dfc90ae7
SHA256

a9a7e4f65b15cbb5e6276488508e1c5d7c63590e2c73a584a413476fc8848d36
SHA512

061e3098eae56572244861a5fe7e400c5e248470117bd782afbb5e62030ea415d7c62016caa8f8e4a257190b6a78f639ec8c0ba8db033034cf22d99382c43e71
SSDEEP

6144:eNPXAt9IhJxRE7Hyg7joJ9lHLaPECfKOEfuLfnFcCsh/GYaRTya7S+yoVx0DD2:eNYt+hJxSrygYJqyOhfu5h/GlTySS+3R

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.8:4444

Mutex

DC_MUTEX-26BR6RC

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
njZx3Bkpuz6x
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  Hack X1000 1.1.bin
- Size
  
  756KB
- MD5
  
  74b69971031e3ed8edac827863f464cb
- SHA1
  
  97f44a38f292cad03e716857b113a4cb60bc199e
- SHA256
  
  5ff3a8d4425ada0f861da4b8177348506e0ba8870dd72ebdb5f58699f6eb69f9
- SHA512
  
  0002a9c817da27df65c242627d64a987dfa5f8a55e7fec55754d0678bf37e1dbb9628691b11195a1378f39eba69e0940215ea6a883a964ca42a905e8d75d206c
- SSDEEP
  
  12288:V9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hu:fZ1xuVVjfFoynPaVBUR8f+kN10EBk
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojan