darkcomet | 3a22773a05dad02a825e6891e5ad6e7ad8b3bd1e6dadbc2d74b126be98a67c28 | Triage

Submit
Reports

Overview

overview

Static

static

3

f850a39e38...18.exe

windows7-x64

f850a39e38...18.exe

windows10-2004-x64

3

Sharing

General

Target

f850a39e38c3e6d21d7b2b628333020a_JaffaCakes118
Size

1.3MB
Sample

240418-s9phcsab8w
MD5

f850a39e38c3e6d21d7b2b628333020a
SHA1

40cc05b05ac2f4afc74a0c7f7637b7f959b1f9ec
SHA256

3a22773a05dad02a825e6891e5ad6e7ad8b3bd1e6dadbc2d74b126be98a67c28
SHA512

a77cb4ada2307eba4c4168fdea6bbe847b5fbdf015b8a8cf016f513073fa5fba502a08d1aeb88acfbf958dae9c9d91c2276f876dd8171201a4f06a589339b357
SSDEEP

12288:KLeLCFLSBHiQKQZ1mDNjZia2zZJ47v6es/OOKEqO0jWVKebcIu8g3zMBYjtZK9+O:

Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f850a39e38c3e6d21d7b2b628333020a_JaffaCakes118.exe

Resource

win7-20240221-en

darkcomet guest16 evasion persistence rat trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

f850a39e38c3e6d21d7b2b628333020a_JaffaCakes118.exe

Resource

win10v2004-20240412-en

windows10-2004-x64

1 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

6.tcp.ngrok.io:14681

Mutex

DC_MUTEX-ZR9SX0Q

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
oMes1KRz6u7t
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  f850a39e38c3e6d21d7b2b628333020a_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  f850a39e38c3e6d21d7b2b628333020a
- SHA1
  
  40cc05b05ac2f4afc74a0c7f7637b7f959b1f9ec
- SHA256
  
  3a22773a05dad02a825e6891e5ad6e7ad8b3bd1e6dadbc2d74b126be98a67c28
- SHA512
  
  a77cb4ada2307eba4c4168fdea6bbe847b5fbdf015b8a8cf016f513073fa5fba502a08d1aeb88acfbf958dae9c9d91c2276f876dd8171201a4f06a589339b357
- SSDEEP
  
  12288:KLeLCFLSBHiQKQZ1mDNjZia2zZJ47v6es/OOKEqO0jWVKebcIu8g3zMBYjtZK9+O:
Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojanupx

behavioral2

© 2018-2024

Terms | Privacy