darkcomet | 883147c195cc8f7e79123197a9ecb14559abb6ac68792306357b485ad1ca276f | Triage

Submit
Reports

Overview

overview

Static

static

7

f49da0371e...18.exe

windows7-x64

f49da0371e...18.exe

windows10-2004-x64

7

Sharing

General

Target

f49da0371e3b3bc3adfedbace3963fe3_JaffaCakes118
Size

819KB
Sample

240417-aal9vaga92
MD5

f49da0371e3b3bc3adfedbace3963fe3
SHA1

76455b51f4300cadcf4695f00f9ad914b8542af8
SHA256

883147c195cc8f7e79123197a9ecb14559abb6ac68792306357b485ad1ca276f
SHA512

f8bbfe3600aa4c7a06619c4332f314422049655a06b0f24a28d51b47d68a46e9cf9d72dbeb6f8794868d98ac1599be99999f4bb63cda7d43b19ac5bce952e2d5
SSDEEP

24576:34T5euUMwzjwS8OZmd8rseVeoKODY/Bmz:3AewuwS8O0d84eTryu

Score

10^/10

darkcomet aspackv2 evasion persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

f49da0371e3b3bc3adfedbace3963fe3_JaffaCakes118.exe

Resource

win7-20240221-en

darkcomet aspackv2 evasion persistence rat trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

f49da0371e3b3bc3adfedbace3963fe3_JaffaCakes118.exe

Resource

win10v2004-20240226-en

windows10-2004-x64

1 signatures

150 seconds

Malware Config

Targets

- Target
  
  f49da0371e3b3bc3adfedbace3963fe3_JaffaCakes118
- Size
  
  819KB
- MD5
  
  f49da0371e3b3bc3adfedbace3963fe3
- SHA1
  
  76455b51f4300cadcf4695f00f9ad914b8542af8
- SHA256
  
  883147c195cc8f7e79123197a9ecb14559abb6ac68792306357b485ad1ca276f
- SHA512
  
  f8bbfe3600aa4c7a06619c4332f314422049655a06b0f24a28d51b47d68a46e9cf9d72dbeb6f8794868d98ac1599be99999f4bb63cda7d43b19ac5bce952e2d5
- SSDEEP
  
  24576:34T5euUMwzjwS8OZmd8rseVeoKODY/Bmz:3AewuwS8O0d84eTryu
Score

10^/10

darkcomet aspackv2 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometaspackv2evasionpersistencerattrojan

behavioral2

© 2018-2024

Terms | Privacy