darkcomet | 2b6a3303f789dcb6019801babcbde32bac1a1154391f61f8127e3b9f03d6e8de | Triage

Submit
Reports

Overview

overview

Static

static

3

32714e6ba3...AS.exe

windows7-x64

32714e6ba3...AS.exe

windows10-2004-x64

Sharing

General

Target

32714e6ba316bf34e90dbf6d5e81f260_NEAS
Size

847KB
Sample

240506-3mbcbsge61
MD5

32714e6ba316bf34e90dbf6d5e81f260
SHA1

34ae7f07b4d179323854f9b3d624d03e35889da9
SHA256

2b6a3303f789dcb6019801babcbde32bac1a1154391f61f8127e3b9f03d6e8de
SHA512

46302f16a2b491808b579b4596e52bc8ff6fe972f4054483cc622357bb727394e7ab65191091eeef97fedcbcd39f388511c5757399d8674221c3ba6ab6958d5a
SSDEEP

24576:SV9RUqJJeOY9J3/Ekbl4055FWim0HvYq/5lrzG:eUqJsOWJ3/EIlhtzYqxZzG

Score

10^/10

darkcomet fud persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe

Resource

win7-20240215-en

darkcomet fud persistence rat trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

32714e6ba316bf34e90dbf6d5e81f260_NEAS.exe

Resource

win10v2004-20240419-en

darkcomet fud persistence rat trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

FUD

C2

ainab-inc.no-ip.biz:1604

ainab-inc.no-ip.biz:1605

ainab.no-ip.info:1605

ainab.no-ip.info:1604

Mutex

DC_MUTEX-8PSGHJX

Attributes

InstallPath
C:\Program Files\CCleaner\CCleaner-resident.exe
gencode
xhpExvTjwd0Y
install
true
offline_keylogger
true
persistence
true
reg_key
explore

Targets

- Target
  
  32714e6ba316bf34e90dbf6d5e81f260_NEAS
- Size
  
  847KB
- MD5
  
  32714e6ba316bf34e90dbf6d5e81f260
- SHA1
  
  34ae7f07b4d179323854f9b3d624d03e35889da9
- SHA256
  
  2b6a3303f789dcb6019801babcbde32bac1a1154391f61f8127e3b9f03d6e8de
- SHA512
  
  46302f16a2b491808b579b4596e52bc8ff6fe972f4054483cc622357bb727394e7ab65191091eeef97fedcbcd39f388511c5757399d8674221c3ba6ab6958d5a
- SSDEEP
  
  24576:SV9RUqJJeOY9J3/Ekbl4055FWim0HvYq/5lrzG:eUqJsOWJ3/EIlhtzYqxZzG
Score

10^/10

darkcomet fud persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometfudpersistencerattrojanupx

behavioral2

darkcometfudpersistencerattrojanupx

© 2018-2024

Terms | Privacy