darkcomet | 5a0f16fb3fb2947cc41ddc38107c63a831263deed2b98fea26be1bdc2d732bd7 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

7ef4bc33ff80810898565ea651d219e4.exe
Size

1.3MB
Sample

240102-tjgkhahebm
MD5

7ef4bc33ff80810898565ea651d219e4
SHA1

141d5a5cb4897d92420737dc0f7369010808a289
SHA256

5a0f16fb3fb2947cc41ddc38107c63a831263deed2b98fea26be1bdc2d732bd7
SHA512

f6e125408716172ee161bb7c70e45f28a4dac071045ee6801202235ff73d125b66303f2b0ce4202b3e0de71b5561642a53f776270a13ebaa263c9385d5e2ad41
SSDEEP

24576:1YJ9CLcZ5hJpfEZjN2yZVqYQShiKyLtg8qoQlokK7bBhvGGXWDGMtGZDq:1YL75tf+2mdQXKyhhqblLKPqDGMQZW

Score

10^/10

darkcomet my_setting evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

my_setting

C2

xfreex.dnsd.info:1604

Mutex

DC_MUTEX-YZGQ90J

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
k9dKyxgnhuJj
install
true
offline_keylogger
false
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  7ef4bc33ff80810898565ea651d219e4.exe
- Size
  
  1.3MB
- MD5
  
  7ef4bc33ff80810898565ea651d219e4
- SHA1
  
  141d5a5cb4897d92420737dc0f7369010808a289
- SHA256
  
  5a0f16fb3fb2947cc41ddc38107c63a831263deed2b98fea26be1bdc2d732bd7
- SHA512
  
  f6e125408716172ee161bb7c70e45f28a4dac071045ee6801202235ff73d125b66303f2b0ce4202b3e0de71b5561642a53f776270a13ebaa263c9385d5e2ad41
- SSDEEP
  
  24576:1YJ9CLcZ5hJpfEZjN2yZVqYQShiKyLtg8qoQlokK7bBhvGGXWDGMtGZDq:1YL75tf+2mdQXKyhhqblLKPqDGMQZW
Score

10^/10

darkcomet my_setting evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometmy_settingevasionpersistencerattrojan

behavioral2

darkcometmy_settingevasionpersistencerattrojan