darkcomet | a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4 | Triage

Submit
Reports

Overview

overview

Static

static

a6244295c0...a4.exe

windows7-x64

a6244295c0...a4.exe

windows10-2004-x64

Sharing

General

Target

a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
Size

256KB
Sample

240412-ajv84she85
MD5

ec9c14011f7eba348f391c294bdb3367
SHA1

e61a15f8f2accd5a6c9acbf11886b2782d460f52
SHA256

a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
SHA512

13037bd298f5d093373453b5913f724a91adbab158012cb2f6055c9dd8616bd3fc61be715fe30bc6828215cfd87d3a1d4a12d39ae0503a12588dec2e55ec50c1
SSDEEP

6144:bcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37sEAU:bcW7KEZlPzCy37s/

Score

10^/10

darkcomet sazan persistence rat trojan upx

Static task

static1

upx sazan darkcomet

4 signatures

Behavioral task

behavioral1

Sample

a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4.exe

Resource

win7-20240221-en

darkcomet sazan persistence rat trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4.exe

Resource

win10v2004-20240226-en

darkcomet sazan persistence rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

0.tcp.eu.ngrok.io:19165:19165

Mutex

DC_MUTEX-AZWBJ2E

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Py8v2wbhf6PU
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
- Size
  
  256KB
- MD5
  
  ec9c14011f7eba348f391c294bdb3367
- SHA1
  
  e61a15f8f2accd5a6c9acbf11886b2782d460f52
- SHA256
  
  a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
- SHA512
  
  13037bd298f5d093373453b5913f724a91adbab158012cb2f6055c9dd8616bd3fc61be715fe30bc6828215cfd87d3a1d4a12d39ae0503a12588dec2e55ec50c1
- SSDEEP
  
  6144:bcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37sEAU:bcW7KEZlPzCy37s/
Score

10^/10

darkcomet sazan persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- UPX dump on OEP (original entry point)
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

upxsazandarkcomet

behavioral1

darkcometsazanpersistencerattrojanupx

behavioral2

darkcometsazanpersistencerattrojanupx

© 2018-2024

Terms | Privacy