darkcomet | 64658bbae61bb0c82d93d6ad3ac6b6c06b1d160a91bb14e70f420825d7fb10ff | Triage

Submit
Reports

Overview

overview

Static

static

64658bbae6...ff.exe

windows7-x64

64658bbae6...ff.exe

windows10-2004-x64

Sharing

General

Target

64658bbae61bb0c82d93d6ad3ac6b6c06b1d160a91bb14e70f420825d7fb10ff
Size

592KB
Sample

240619-2hjmgavdnf
MD5

9614225a8db95a2ef4ed6947e5efa7be
SHA1

2fd083913b031d23cc0099c5de6ea8354c9ecd16
SHA256

64658bbae61bb0c82d93d6ad3ac6b6c06b1d160a91bb14e70f420825d7fb10ff
SHA512

34e55c8f59b2c3506684fdd6686ee10f4a3cc757ff81d881c609f45063d5c3ec7fd620e4cd4ae9ab8e0b0db52559984b15c43944f35385c663a62a96fb6c8076
SSDEEP

12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoS9:TW/xhIUKofSytJsL6HUP0OHCq

Score

10^/10

darkcomet persistence rat trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

64658bbae61bb0c82d93d6ad3ac6b6c06b1d160a91bb14e70f420825d7fb10ff.exe

Resource

win7-20240508-en

darkcomet persistence rat trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

64658bbae61bb0c82d93d6ad3ac6b6c06b1d160a91bb14e70f420825d7fb10ff.exe

Resource

win10v2004-20240508-en

darkcomet persistence rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  64658bbae61bb0c82d93d6ad3ac6b6c06b1d160a91bb14e70f420825d7fb10ff
- Size
  
  592KB
- MD5
  
  9614225a8db95a2ef4ed6947e5efa7be
- SHA1
  
  2fd083913b031d23cc0099c5de6ea8354c9ecd16
- SHA256
  
  64658bbae61bb0c82d93d6ad3ac6b6c06b1d160a91bb14e70f420825d7fb10ff
- SHA512
  
  34e55c8f59b2c3506684fdd6686ee10f4a3cc757ff81d881c609f45063d5c3ec7fd620e4cd4ae9ab8e0b0db52559984b15c43944f35385c663a62a96fb6c8076
- SSDEEP
  
  12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoS9:TW/xhIUKofSytJsL6HUP0OHCq
Score

10^/10

darkcomet persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- UPX dump on OEP (original entry point)
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometpersistencerattrojanupx

behavioral2

darkcometpersistencerattrojanupx

© 2018-2024

Terms | Privacy