Overview

overview

10

Static

static

10

darkcomet_stub.exe

windows7-x64

10

darkcomet_stub.exe

windows10-2004-x64

10

darkcomet_stub.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    darkcomet_stub.exe

  • Size

    662KB

  • Sample

    240401-2n8hsahg73

  • MD5

    10bf33fc0b791b5c123bf34647023e46

  • SHA1

    e4859675bd2720c22c59d0bd9bfd4b637a1cd297

  • SHA256

    9300b7b6bf1e06722e9daf487a52e75470583ed9ecb5078b5ad2b753c2179637

  • SHA512

    b9ff6c60888b7bc3049e989190a92dd7b75625c621da319d555b94b310ba1ae407657f9f7398fb6d02d95542276023de8a1c45813d09a29b3c2ed7a9bb237785

  • SSDEEP

    12288:03OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RQ:iOA4aWNn/m09fKIaaBEtWq3A1Ov8Jgbu

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

7.tcp.eu.ngrok.io:16086

Mutex

DC_MUTEX-VVQ12R5

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    a5HjuWXn17aD

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      darkcomet_stub.exe

    • Size

      662KB

    • MD5

      10bf33fc0b791b5c123bf34647023e46

    • SHA1

      e4859675bd2720c22c59d0bd9bfd4b637a1cd297

    • SHA256

      9300b7b6bf1e06722e9daf487a52e75470583ed9ecb5078b5ad2b753c2179637

    • SHA512

      b9ff6c60888b7bc3049e989190a92dd7b75625c621da319d555b94b310ba1ae407657f9f7398fb6d02d95542276023de8a1c45813d09a29b3c2ed7a9bb237785

    • SSDEEP

      12288:03OpvNW4a76S/Ddon/m09bbYlIaaMcE2YGhq3vo1RnfAvIESJgoE26yc/RQ:iOA4aWNn/m09fKIaaBEtWq3A1Ov8Jgbu

    Score
    10/10
    darkcometguest16evasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks