darkcomet | a49018ba9474e20f883533f245790d7b51f5477f268f5cd189cb543e7e458bcd | Triage

Submit
Reports

Overview

overview

Static

static

a70c493bfa...18.exe

windows7-x64

a70c493bfa...18.exe

windows10-2004-x64

Sharing

General

Target

a70c493bfaba996e100dd35ed6c18951_JaffaCakes118
Size

259KB
Sample

240613-26rmzsvcjg
MD5

a70c493bfaba996e100dd35ed6c18951
SHA1

b1c184099805e83258e77b30806687beb0aa09c5
SHA256

a49018ba9474e20f883533f245790d7b51f5477f268f5cd189cb543e7e458bcd
SHA512

04b163c43c7588944edcfe56e9dd0b2f9ec72db4896f284e5987a187f3f2e9fa0a896d44564baa6e4a2c4add83a48f7bf26c0b8acff3a5363d5f789bbe6a10e6
SSDEEP

6144:0cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37+r:0cW7KEZlPzCy37

Score

10^/10

darkcomet zqw evasion persistence rat trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

a70c493bfaba996e100dd35ed6c18951_JaffaCakes118.exe

Resource

win7-20240611-en

darkcomet zqw evasion persistence rat trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

a70c493bfaba996e100dd35ed6c18951_JaffaCakes118.exe

Resource

win10v2004-20240508-en

darkcomet zqw evasion persistence rat trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Extracted

Family

darkcomet

Botnet

ZQW

C2

http://aliq.no-ip.info:1604

http://aliq.no-ip.info:1605

http://aliq.no-ip.info:2147

http://aliq.no-ip.info:4569

aliq.no-ip.info:1604

aliq.no-ip.info:1605

aliq.no-ip.info:2147

aliq.no-ip.info:4569

http://aliq111.no-ip.info:1604

http://aliq111.no-ip.info:1605

http://aliq111.no-ip.info:2147

http://aliq111.no-ip.info:4569

http://aliq555.publicvm.com:1604

http://aliq555.publicvm.com:2147

http://aliq555.publicvm.com:1605

http://aliq555.publicvm.com:4569

aliq555.publicvm.com:1604

aliq555.publicvm.com:1605

aliq555.publicvm.com:2147

aliq555.publicvm.com:4569

Mutex

DC_MUTEX-BM2VJFH

Attributes

InstallPath
C:\MSDCSC\ZQWZ.exe
gencode
N7GilaH4YpEz
install
true
offline_keylogger
true
persistence
true
reg_key
ZQWZ

Targets

- Target
  
  a70c493bfaba996e100dd35ed6c18951_JaffaCakes118
- Size
  
  259KB
- MD5
  
  a70c493bfaba996e100dd35ed6c18951
- SHA1
  
  b1c184099805e83258e77b30806687beb0aa09c5
- SHA256
  
  a49018ba9474e20f883533f245790d7b51f5477f268f5cd189cb543e7e458bcd
- SHA512
  
  04b163c43c7588944edcfe56e9dd0b2f9ec72db4896f284e5987a187f3f2e9fa0a896d44564baa6e4a2c4add83a48f7bf26c0b8acff3a5363d5f789bbe6a10e6
- SSDEEP
  
  6144:0cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37+r:0cW7KEZlPzCy37
Score

10^/10

darkcomet zqw evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometzqwevasionpersistencerattrojanupx

behavioral2

darkcometzqwevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy