darkcomet | 0e061811d07fc95f03c8c35b2f1f8fbc21d3cf2e0dc21569fdc5b40cfd6d13a0 | Triage

Sharing

General

Target

7ba8f99c23717ccc5d3cdc2097ee8944_JaffaCakes118
Size

414KB
Sample

240528-etx8nsfd66
MD5

7ba8f99c23717ccc5d3cdc2097ee8944
SHA1

9a2f758b75225c4b686817e3f890e72d30a88dde
SHA256

0e061811d07fc95f03c8c35b2f1f8fbc21d3cf2e0dc21569fdc5b40cfd6d13a0
SHA512

402e7aecf374c4c8b1c38b9a44f7247fc839acf5c9404fb917b2a1b5883eb3d364804c2b417576d4baeedd0ba2e4392e89afd9b83a221b867dca207e0dbe84ca
SSDEEP

12288:X3nZMhJ+ubNHMg9pTRNwr661J6Hxv4oitm:X3nZqfbtMg7fJ6mxvwtm

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-QXY8E2R

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
Skb1w34uDDJ3
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  7ba8f99c23717ccc5d3cdc2097ee8944_JaffaCakes118
- Size
  
  414KB
- MD5
  
  7ba8f99c23717ccc5d3cdc2097ee8944
- SHA1
  
  9a2f758b75225c4b686817e3f890e72d30a88dde
- SHA256
  
  0e061811d07fc95f03c8c35b2f1f8fbc21d3cf2e0dc21569fdc5b40cfd6d13a0
- SHA512
  
  402e7aecf374c4c8b1c38b9a44f7247fc839acf5c9404fb917b2a1b5883eb3d364804c2b417576d4baeedd0ba2e4392e89afd9b83a221b867dca207e0dbe84ca
- SSDEEP
  
  12288:X3nZMhJ+ubNHMg9pTRNwr661J6Hxv4oitm:X3nZqfbtMg7fJ6mxvwtm
Score

10^/10

darkcomet guest16_min persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_minpersistencerattrojan

behavioral2

darkcometguest16_minpersistencerattrojan