darkcomet | f173b00071e8aa63d2b7e3493203aa2b9245c3e5b43cc8626c86f655b39c6487 | Triage

Submit
Reports

Overview

overview

Static

static

3

0032923c42...18.exe

windows7-x64

0032923c42...18.exe

windows10-2004-x64

Sharing

General

Target

0032923c4273ee9cae8a704f7a25fe82_JaffaCakes118
Size

1.3MB
Sample

240619-ygnm9ayejc
MD5

0032923c4273ee9cae8a704f7a25fe82
SHA1

36409476a9d1e92121e227f71c407dce1ef586ee
SHA256

f173b00071e8aa63d2b7e3493203aa2b9245c3e5b43cc8626c86f655b39c6487
SHA512

4556e6bf618fe0cabec255a52635b468bdaf01391e5ddb131470ab44b72eb6924fd4e5f1d398e182d372c5ba82fea39d73bad378b37e41ca436b20ace36ba08b
SSDEEP

12288:LNlBcdK2yMq3Sb4/h0E+BJ64kDwsTpW74YCuaoG7mu/gos9rnX9Ntc2wDfrE0Dt0:L1oImQCBMAJbYU2Qs38z

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0032923c4273ee9cae8a704f7a25fe82_JaffaCakes118.exe

Resource

win7-20240508-en

darkcomet guest16 persistence rat trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

0032923c4273ee9cae8a704f7a25fe82_JaffaCakes118.exe

Resource

win10v2004-20240508-en

darkcomet guest16 persistence rat trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

slient.no-ip.biz:1604

42.117.239.159:1604

Mutex

DC_MUTEX-CRNC0F1

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
1bWmuNAg36hA
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  0032923c4273ee9cae8a704f7a25fe82_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  0032923c4273ee9cae8a704f7a25fe82
- SHA1
  
  36409476a9d1e92121e227f71c407dce1ef586ee
- SHA256
  
  f173b00071e8aa63d2b7e3493203aa2b9245c3e5b43cc8626c86f655b39c6487
- SHA512
  
  4556e6bf618fe0cabec255a52635b468bdaf01391e5ddb131470ab44b72eb6924fd4e5f1d398e182d372c5ba82fea39d73bad378b37e41ca436b20ace36ba08b
- SSDEEP
  
  12288:LNlBcdK2yMq3Sb4/h0E+BJ64kDwsTpW74YCuaoG7mu/gos9rnX9Ntc2wDfrE0Dt0:L1oImQCBMAJbYU2Qs38z
Score

10^/10

darkcomet guest16 persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometguest16persistencerattrojanupx

behavioral2

darkcometguest16persistencerattrojanupx

© 2018-2024

Terms | Privacy