darkcomet | 8c30104c9da821a254c49dd59dce24af2de9e4b4e4bb86c30399f05d43fd77a3 | Triage

Sharing

General

Target

8c30104c9da821a254c49dd59dce24af2de9e4b4e4bb86c30399f05d43fd77a3
Size

338KB
Sample

240417-p6nj4sgb59
MD5

37a661284263dad9a1fe1557241f91f4
SHA1

ead0498252da0a1822868d7c96eb6aa9eca4b019
SHA256

8c30104c9da821a254c49dd59dce24af2de9e4b4e4bb86c30399f05d43fd77a3
SHA512

e67cbd600f83b7bcaaed841c5c6542df98f72ea57bf1d799110df3024d6ff911b8d4ec52d4ab265bd28814b2eb460f7c703c86e81e20601429e96738666b46f5
SSDEEP

6144:ZRxo6Z8Mhm7PoanTaypEo161h2B8lemetU5Uq6z25qE8JEn6w/V+hQRJdD8:ZRC67hodTa4Eo161hVb6z28EE1w/VeQi

Score

10^/10

darkcomet hecker evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hecker

C2

7.tcp.eu.ngrok.io:11791

Mutex

DC_MUTEX-GAFJ7KC

Attributes

InstallPath
Runtime Broker.exe
gencode
1NDoWjfTb2iN
install
true
offline_keylogger
true
persistence
true
reg_key
RUNTIMEBROKHANDLER

Targets

- Target
  
  712f8fe73fc9955808359aa68bb2e898c6661b4cf7de0f0dc27fd668dca17134.exe
- Size
  
  658KB
- MD5
  
  25b08da1a964836d5b6d64ee0bcf30e0
- SHA1
  
  ad90af854d09a464b2ae958a93aa1cb713af1fb5
- SHA256
  
  712f8fe73fc9955808359aa68bb2e898c6661b4cf7de0f0dc27fd668dca17134
- SHA512
  
  45a5f0aac1d12fe33c5bceaa2a6b226d5fbb85c99c035c608686bc6143ef4c0abc15d197dc947fae4e441d234e43cf32396894e71f2f62f369f806dbf4a9f4bc
- SSDEEP
  
  12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hj:KZ1xuVVjfFoynPaVBUR8f+kN10EBp
Score

10^/10

darkcomet hecker evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

heckerdarkcomet

behavioral1

darkcometheckerevasionpersistencerattrojan

behavioral2

darkcometheckerevasionpersistencerattrojan