darkcomet | 6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672 | Triage

Submit
Reports

Overview

overview

Static

static

3

075448d611...9a.exe

windows7-x64

075448d611...9a.exe

windows10-2004-x64

1

Sharing

General

Target

075448d611663baa510daefcb583469a
Size

548KB
Sample

231225-fynqgadfep
MD5

075448d611663baa510daefcb583469a
SHA1

c523655c92dbcc28b1a1fb2dd1f95e4333597f49
SHA256

6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
SHA512

4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
SSDEEP

12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO

Score

10^/10

darkcomet slave persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

075448d611663baa510daefcb583469a.exe

Resource

win7-20231215-en

darkcomet slave persistence rat trojan upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

075448d611663baa510daefcb583469a.exe

Resource

win10v2004-20231215-en

windows10-2004-x64

0 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

darkcometramon.zapto.org:1604

Mutex

DC_MUTEX-WACNQ32

Attributes

InstallPath
MSDCSC\Update.exe
gencode
1Zo5tGcdvz3w
install
true
offline_keylogger
true
persistence
false
reg_key
WindowsUpdater

Targets

- Target
  
  075448d611663baa510daefcb583469a
- Size
  
  548KB
- MD5
  
  075448d611663baa510daefcb583469a
- SHA1
  
  c523655c92dbcc28b1a1fb2dd1f95e4333597f49
- SHA256
  
  6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
- SHA512
  
  4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
- SSDEEP
  
  12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO
Score

10^/10

darkcomet slave persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometslavepersistencerattrojanupx

behavioral2

© 2018-2024

Terms | Privacy