darkcomet | 39b902c7f2684b5faf01bb3872ddd4fd4066f15553e6b009a9be0fef85928b2c | Triage

Sharing

General

Target

NEAS.8b48a1b5a19cb1e67f43c81386fa26d0.exe
Size

325KB
Sample

231101-rj6taafd67
MD5

8b48a1b5a19cb1e67f43c81386fa26d0
SHA1

bb8d38a056d805d0f10fbdbe810f968ff3b9d184
SHA256

39b902c7f2684b5faf01bb3872ddd4fd4066f15553e6b009a9be0fef85928b2c
SHA512

361cac8ab1d20df90dd498c6cee0f0b0a8a1716b88a0ce437c48defe16c48e416bb3a4e75e97d659fe06d10c26d5dbc0b08a1146283265e8c1da6c744883c2e7
SSDEEP

6144:ZYgZdcJZs091uPFP1QpCT0LurJH1l3ZwzaKAG6cz9eswTfmr/yruO:ZY1JKIMlypCgiFJxlcz9eswT0hO

Score

10^/10

darkcomet wxxxxw evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

WXXXXW

C2

euro2012.no-ip.org:22

euro2012.no-ip.org:3389

euro2012.no-ip.org:5631

Mutex

DC_MUTEX-X2H0E82

Attributes

InstallPath
Debug\msdcsc.exe
gencode
F4JVWk9c0ekU
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  NEAS.8b48a1b5a19cb1e67f43c81386fa26d0.exe
- Size
  
  325KB
- MD5
  
  8b48a1b5a19cb1e67f43c81386fa26d0
- SHA1
  
  bb8d38a056d805d0f10fbdbe810f968ff3b9d184
- SHA256
  
  39b902c7f2684b5faf01bb3872ddd4fd4066f15553e6b009a9be0fef85928b2c
- SHA512
  
  361cac8ab1d20df90dd498c6cee0f0b0a8a1716b88a0ce437c48defe16c48e416bb3a4e75e97d659fe06d10c26d5dbc0b08a1146283265e8c1da6c744883c2e7
- SSDEEP
  
  6144:ZYgZdcJZs091uPFP1QpCT0LurJH1l3ZwzaKAG6cz9eswTfmr/yruO:ZY1JKIMlypCgiFJxlcz9eswT0hO
Score

10^/10

darkcomet wxxxxw evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometwxxxxwevasionpersistencerattrojanupx

behavioral2