darkcomet | dbd5175524d0c28a7ac148c2c1ef04cc273c9892334064b0e60389b0477d65c8 | Triage

Submit
Reports

Overview

overview

Static

static

3

016e20f53d...18.exe

windows7-x64

016e20f53d...18.exe

windows10-2004-x64

Sharing

General

Target

016e20f53d9abcd81969b219a9403d0c_JaffaCakes118
Size

824KB
Sample

240620-as55nsyfkb
MD5

016e20f53d9abcd81969b219a9403d0c
SHA1

a1c6004a6336b312b61622519f0305d5e6be9b5c
SHA256

dbd5175524d0c28a7ac148c2c1ef04cc273c9892334064b0e60389b0477d65c8
SHA512

b9d537d8582dd3c4ba555950660b5e2cce4827d66fc3c8c4e0758a75171ac614db3766e00ff2eb875a9857982b3e341e33f892850a5a1229576388330ce873f0
SSDEEP

24576:dZg15Rf2/3UW/u29vYYRCPIYXlMXA+XEx4:dkRf2X2c4BV/z4

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

016e20f53d9abcd81969b219a9403d0c_JaffaCakes118.exe

Resource

win7-20231129-en

darkcomet guest16 persistence rat trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

016e20f53d9abcd81969b219a9403d0c_JaffaCakes118.exe

Resource

win10v2004-20240508-en

darkcomet guest16 persistence rat trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:81

khaledboos.no-ip.biz:81

Mutex

DC_MUTEX-8R7JJ6F

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
7oM227tF3Edh
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  016e20f53d9abcd81969b219a9403d0c_JaffaCakes118
- Size
  
  824KB
- MD5
  
  016e20f53d9abcd81969b219a9403d0c
- SHA1
  
  a1c6004a6336b312b61622519f0305d5e6be9b5c
- SHA256
  
  dbd5175524d0c28a7ac148c2c1ef04cc273c9892334064b0e60389b0477d65c8
- SHA512
  
  b9d537d8582dd3c4ba555950660b5e2cce4827d66fc3c8c4e0758a75171ac614db3766e00ff2eb875a9857982b3e341e33f892850a5a1229576388330ce873f0
- SSDEEP
  
  24576:dZg15Rf2/3UW/u29vYYRCPIYXlMXA+XEx4:dkRf2X2c4BV/z4
Score

10^/10

darkcomet guest16 persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometguest16persistencerattrojanupx

behavioral2

darkcometguest16persistencerattrojanupx

© 2018-2024

Terms | Privacy