darkcomet | 9d74405394bf0ef10eef52f08f41522a0643e6f0d837eff489fee63c1049d753 | Triage

Submit
Reports

Overview

overview

Static

static

3

15eeb17996...f8.exe

windows7-x64

15eeb17996...f8.exe

windows10-2004-x64

Sharing

General

Target

15eeb17996e5c5e1411b99e174cfc1f8
Size

676KB
Sample

231230-mja96ahfaq
MD5

15eeb17996e5c5e1411b99e174cfc1f8
SHA1

ba259020e5ed3a88ee0b6ee64a9d6c496eb380de
SHA256

9d74405394bf0ef10eef52f08f41522a0643e6f0d837eff489fee63c1049d753
SHA512

7ad8e6830ca685b33d2b38b2ee27fad68a755f5e07f52a02b477bd5132f44351dadd012082845b3c0a9831703bc0a9b9b6f6472c3385d4bbc204f2751c8bf02b
SSDEEP

12288:oZm8IssHeJm1BcK7BBlQB2klG+KbW/m3HN/cEhxipgOAvxt7YHji:oQ8dw57BBlQBVI+WWiEWOE3UDi

Score

10^/10

darkcomet evasion persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

15eeb17996e5c5e1411b99e174cfc1f8.exe

Resource

win7-20231215-en

darkcomet evasion persistence rat trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

15eeb17996e5c5e1411b99e174cfc1f8.exe

Resource

win10v2004-20231215-en

darkcomet evasion persistence rat trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  15eeb17996e5c5e1411b99e174cfc1f8
- Size
  
  676KB
- MD5
  
  15eeb17996e5c5e1411b99e174cfc1f8
- SHA1
  
  ba259020e5ed3a88ee0b6ee64a9d6c496eb380de
- SHA256
  
  9d74405394bf0ef10eef52f08f41522a0643e6f0d837eff489fee63c1049d753
- SHA512
  
  7ad8e6830ca685b33d2b38b2ee27fad68a755f5e07f52a02b477bd5132f44351dadd012082845b3c0a9831703bc0a9b9b6f6472c3385d4bbc204f2751c8bf02b
- SSDEEP
  
  12288:oZm8IssHeJm1BcK7BBlQB2klG+KbW/m3HN/cEhxipgOAvxt7YHji:oQ8dw57BBlQBVI+WWiEWOE3UDi
Score

10^/10

darkcomet evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometevasionpersistencerattrojanupx

behavioral2

darkcometevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy