darkcomet | b8022c1aa5f5f6220ffce8f3f473bb8078bbf171fa00e50823bc0c79946c1121 | Triage

Submit
Reports

Overview

overview

Static

static

7

DarkNight.exe

windows7-x64

9

DarkNight.exe

windows10-2004-x64

Sharing

General

Target

DarkNight.exe
Size

3.9MB
Sample

240415-3gbe5sdb9x
MD5

d396e70e3da1b5c0c8414a524971b83e
SHA1

928fcd454a00ec2141fa0b1966ae509235c4c6c7
SHA256

b8022c1aa5f5f6220ffce8f3f473bb8078bbf171fa00e50823bc0c79946c1121
SHA512

dd66a02df8456876b89fc913d4e0e3c60324cb4adb4dd4c3a39babf0a70a6f4f10eb9d610a6aa86576746e5d9e458c85fbc320b708949a164c43588c9aaf9d4b
SSDEEP

98304:8O6Dchp3YEtEbfY514GcOIjRy9NcrMcLAAW8bapEUyB3pm1:8OakRObogOdDcNL08ILyu

Score

10^/10

darkcomet dn2 evasion rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

DarkNight.exe

Resource

win7-20240221-en

evasion themida trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

DarkNight.exe

Resource

win10v2004-20240412-en

darkcomet dn2 evasion rat themida trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

DN2

C2

80.93.220.228:1605

Mutex

DC_MUTEX-X39FPQJ

Attributes

gencode
UxJtmrp9botj
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  DarkNight.exe
- Size
  
  3.9MB
- MD5
  
  d396e70e3da1b5c0c8414a524971b83e
- SHA1
  
  928fcd454a00ec2141fa0b1966ae509235c4c6c7
- SHA256
  
  b8022c1aa5f5f6220ffce8f3f473bb8078bbf171fa00e50823bc0c79946c1121
- SHA512
  
  dd66a02df8456876b89fc913d4e0e3c60324cb4adb4dd4c3a39babf0a70a6f4f10eb9d610a6aa86576746e5d9e458c85fbc320b708949a164c43588c9aaf9d4b
- SSDEEP
  
  98304:8O6Dchp3YEtEbfY514GcOIjRy9NcrMcLAAW8bapEUyB3pm1:8OakRObogOdDcNL08ILyu
Score

10^/10

evasion themida trojan darkcomet dn2 rat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionthemidatrojan

behavioral2

darkcometdn2evasionratthemidatrojan

© 2018-2024

Terms | Privacy