darkcomet | 2d2cb66feb848fd2242d7876f4914fa8f4ac7793ba7f416d17fa3d93deaa0fba | Triage

Sharing

General

Target

b52bb7d593fdfefbf59e3bf21e1b3853
Size

629KB
Sample

240305-t8sn3acd38
MD5

b52bb7d593fdfefbf59e3bf21e1b3853
SHA1

247912905107a9a2d0e540f6c026d8fc29d3d480
SHA256

2d2cb66feb848fd2242d7876f4914fa8f4ac7793ba7f416d17fa3d93deaa0fba
SHA512

12ea4eb359dbce559d1a62d42d923f01dc320325e62a9c3befc1ee52ce2e5dd43d45b1e781e121b1ba73c1876b10231b54f5500b05225861471a474a630917ac
SSDEEP

12288:DB0hps3/cUseAZUhmqe77j9ab1Xirk+LGghVgZRYbfwE:DOhO9GZQmqexabYr5L1PgYboE

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-5QQ6WPK

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
JLHXAKF5YbYE
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  b52bb7d593fdfefbf59e3bf21e1b3853
- Size
  
  629KB
- MD5
  
  b52bb7d593fdfefbf59e3bf21e1b3853
- SHA1
  
  247912905107a9a2d0e540f6c026d8fc29d3d480
- SHA256
  
  2d2cb66feb848fd2242d7876f4914fa8f4ac7793ba7f416d17fa3d93deaa0fba
- SHA512
  
  12ea4eb359dbce559d1a62d42d923f01dc320325e62a9c3befc1ee52ce2e5dd43d45b1e781e121b1ba73c1876b10231b54f5500b05225861471a474a630917ac
- SSDEEP
  
  12288:DB0hps3/cUseAZUhmqe77j9ab1Xirk+LGghVgZRYbfwE:DOhO9GZQmqexabYr5L1PgYboE
Score

10^/10

darkcomet guest16_min persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_minpersistencerattrojan

behavioral2

darkcometguest16_minpersistencerattrojan