darkcomet | 172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86 | Triage

Submit
Reports

Overview

overview

Static

static

3

172af0ea71...86.exe

windows7-x64

172af0ea71...86.exe

windows10-2004-x64

Sharing

General

Target

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86
Size

338KB
Sample

240418-xyx3ksdf4x
MD5

27aed8242c89f5a513c097dcc36c5bef
SHA1

9a53be98d594fabed2fc567e65b7b16d73b69300
SHA256

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86
SHA512

8f81c85b4653096ccaca23a706527130eecd2a226c111db44138577efcd5446415fe5ebadf12e71361bd5e267f5436bd2f1dc4255e20e1fc55974f630e80b478
SSDEEP

6144:wC4W+NSe7/mE5WAGb/msFw13ocRGQqrDsZOZ3ZpWoM7+aaTaaaHbiXJEdpC8bQ:w/W+cHEIAGb/msFwxocgQq3sZOZIbuq

Score

10^/10

darkcomet slave evasion persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe

Resource

win7-20240221-en

darkcomet slave evasion persistence rat trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe

Resource

win10v2004-20240412-en

darkcomet slave evasion persistence rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

gotcha1337.no-ip.biz:1604

Mutex

DC_MUTEX-YL1K3PD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KFeuKKdTKtY3
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86
- Size
  
  338KB
- MD5
  
  27aed8242c89f5a513c097dcc36c5bef
- SHA1
  
  9a53be98d594fabed2fc567e65b7b16d73b69300
- SHA256
  
  172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86
- SHA512
  
  8f81c85b4653096ccaca23a706527130eecd2a226c111db44138577efcd5446415fe5ebadf12e71361bd5e267f5436bd2f1dc4255e20e1fc55974f630e80b478
- SSDEEP
  
  6144:wC4W+NSe7/mE5WAGb/msFw13ocRGQqrDsZOZ3ZpWoM7+aaTaaaHbiXJEdpC8bQ:w/W+cHEIAGb/msFwxocgQq3sZOZIbuq
Score

10^/10

darkcomet slave evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- UPX dump on OEP (original entry point)
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometslaveevasionpersistencerattrojanupx

behavioral2

darkcometslaveevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy