darkcomet

General

Target

f64202ae93fefe71fc7edcb9c2e0aac42ddbe9cd47ebba7a3b1d67157a809c0f
Size

252KB
Sample

240526-fhjrksff3w
MD5

5436fd89630010dfba66ff289ac23e28
SHA1

a2be564e0a3e7d66d337550fdf4ec03c9dc7fc3a
SHA256

f64202ae93fefe71fc7edcb9c2e0aac42ddbe9cd47ebba7a3b1d67157a809c0f
SHA512

7a2b093d7df3c6efd2edc780989fb56c34e753ab564c945bc9d5fcf0e5b1bc7c3cf49e50d80b9d4390720f05d4d8c84bd057e8496de8d7d91943e807d8d02aa8
SSDEEP

6144:XcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37KGVM:XcW7KEZlPzCy37KG

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkness123.ddns.net:1604

Mutex

DC_MUTEX-B5047WK

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Ct6Ynw33gry6
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  f64202ae93fefe71fc7edcb9c2e0aac42ddbe9cd47ebba7a3b1d67157a809c0f
- Size
  
  252KB
- MD5
  
  5436fd89630010dfba66ff289ac23e28
- SHA1
  
  a2be564e0a3e7d66d337550fdf4ec03c9dc7fc3a
- SHA256
  
  f64202ae93fefe71fc7edcb9c2e0aac42ddbe9cd47ebba7a3b1d67157a809c0f
- SHA512
  
  7a2b093d7df3c6efd2edc780989fb56c34e753ab564c945bc9d5fcf0e5b1bc7c3cf49e50d80b9d4390720f05d4d8c84bd057e8496de8d7d91943e807d8d02aa8
- SSDEEP
  
  6144:XcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37KGVM:XcW7KEZlPzCy37KG
Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- UPX dump on OEP (original entry point)
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2