darkcomet | 4c9e11389a51bbb1538c3c57a469be9256812e9be5ced4f06ba6c100668ddde1 | Triage

Submit
Reports

Overview

overview

Static

static

27f2bffd80...18.exe

windows7-x64

27f2bffd80...18.exe

windows10-2004-x64

Sharing

General

Target

27f2bffd80e144f0b738ff6659c3b8c3_JaffaCakes118
Size

252KB
Sample

240509-ddxrjaef4v
MD5

27f2bffd80e144f0b738ff6659c3b8c3
SHA1

388aff586e3ec2c5c862596ec16abdfdbdfcb98f
SHA256

4c9e11389a51bbb1538c3c57a469be9256812e9be5ced4f06ba6c100668ddde1
SHA512

a57f5163ef3d35d000b0f9d5caf84a65ebce2d3cdfe61468fb13d976541caab106c9fab32392c4826e5bedd87ae29c9a0eb53e4281bec0f0d0e856b6660be1c2
SSDEEP

6144:DcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQU:DcWkbgTYWnYnt/IDYhPJ

Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx

Static task

static1

upx guest16 darkcomet

3 signatures

Behavioral task

behavioral1

Sample

27f2bffd80e144f0b738ff6659c3b8c3_JaffaCakes118.exe

Resource

win7-20240419-en

darkcomet guest16 evasion persistence rat trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

27f2bffd80e144f0b738ff6659c3b8c3_JaffaCakes118.exe

Resource

win10v2004-20240426-en

darkcomet guest16 evasion persistence rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-15PZK2D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
WXuth936C97A
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  27f2bffd80e144f0b738ff6659c3b8c3_JaffaCakes118
- Size
  
  252KB
- MD5
  
  27f2bffd80e144f0b738ff6659c3b8c3
- SHA1
  
  388aff586e3ec2c5c862596ec16abdfdbdfcb98f
- SHA256
  
  4c9e11389a51bbb1538c3c57a469be9256812e9be5ced4f06ba6c100668ddde1
- SHA512
  
  a57f5163ef3d35d000b0f9d5caf84a65ebce2d3cdfe61468fb13d976541caab106c9fab32392c4826e5bedd87ae29c9a0eb53e4281bec0f0d0e856b6660be1c2
- SSDEEP
  
  6144:DcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQU:DcWkbgTYWnYnt/IDYhPJ
Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

upxguest16darkcomet

behavioral1

darkcometguest16evasionpersistencerattrojanupx

behavioral2

darkcometguest16evasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy