darkcomet | aade5180b671a74055e5e24f6068c88169fdbdb393d621560613d35b25d6ac85 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

a16a87582b1fa805f44465fc76b97446_JaffaCakes118
Size

827KB
Sample

240612-vgajvawdkr
MD5

a16a87582b1fa805f44465fc76b97446
SHA1

41af022e92e97254399fd36d68acc845526e4452
SHA256

aade5180b671a74055e5e24f6068c88169fdbdb393d621560613d35b25d6ac85
SHA512

f3fc79f4da694c0212d6919a8e3c4d8e0dc2eb88afb8b0e6a3a1234cf6d2b5385fee8a804f9cb5b437b38cee08e72a2e0eee3f254d540dc127614a48293fe87d
SSDEEP

12288:Y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/xL:MZ1xuVVjfFoynPaVBUR8f+kN10Edx

Score

10^/10

darkcomet kingraider evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

kingraider

C2

gta5menu.no-ip.biz:101

Mutex

DC_MUTEX-W1JXX8X

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
174XWToCVXoX
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  a16a87582b1fa805f44465fc76b97446_JaffaCakes118
- Size
  
  827KB
- MD5
  
  a16a87582b1fa805f44465fc76b97446
- SHA1
  
  41af022e92e97254399fd36d68acc845526e4452
- SHA256
  
  aade5180b671a74055e5e24f6068c88169fdbdb393d621560613d35b25d6ac85
- SHA512
  
  f3fc79f4da694c0212d6919a8e3c4d8e0dc2eb88afb8b0e6a3a1234cf6d2b5385fee8a804f9cb5b437b38cee08e72a2e0eee3f254d540dc127614a48293fe87d
- SSDEEP
  
  12288:Y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/xL:MZ1xuVVjfFoynPaVBUR8f+kN10Edx
Score

10^/10

darkcomet kingraider evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

kingraiderdarkcomet

behavioral1

darkcometkingraiderevasionpersistencerattrojan

behavioral2

darkcometkingraiderevasionpersistencerattrojan