darkcomet | 848dbec6a4031b28671092408054bd1a51f4c08d961107f41c42235cbd14eff1 | Triage

Submit
Reports

Overview

overview

Static

static

15bae297ef...18.exe

windows7-x64

15bae297ef...18.exe

windows10-2004-x64

Sharing

General

Target

15bae297ef8d4db07e327c20aba3f8ea_JaffaCakes118
Size

838KB
Sample

240627-my6plsxemg
MD5

15bae297ef8d4db07e327c20aba3f8ea
SHA1

c6405960b0add36e255d880dc4fda6c106c13136
SHA256

848dbec6a4031b28671092408054bd1a51f4c08d961107f41c42235cbd14eff1
SHA512

ea619e23efc776aeb8e6db6c28f408933624a8e0e30ee4f851f12db92634e56629f0aeef4dba6a8f6c67973fa0d2b13e4b12d044ed81febae5dc212b7c970ef0
SSDEEP

24576:bUKoN0bUxgGa/pfBHDb+y1HgZaOtgXu+7vv:QK1A6Ca

Score

10^/10

darkcomet latentbot evasion persistence rat trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

15bae297ef8d4db07e327c20aba3f8ea_JaffaCakes118.exe

Resource

win7-20240611-en

darkcomet latentbot evasion persistence rat trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

15bae297ef8d4db07e327c20aba3f8ea_JaffaCakes118.exe

Resource

win10v2004-20240611-en

darkcomet latentbot evasion persistence rat trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

latentbot

C2

rustyslaves.zapto.org

Targets

- Target
  
  15bae297ef8d4db07e327c20aba3f8ea_JaffaCakes118
- Size
  
  838KB
- MD5
  
  15bae297ef8d4db07e327c20aba3f8ea
- SHA1
  
  c6405960b0add36e255d880dc4fda6c106c13136
- SHA256
  
  848dbec6a4031b28671092408054bd1a51f4c08d961107f41c42235cbd14eff1
- SHA512
  
  ea619e23efc776aeb8e6db6c28f408933624a8e0e30ee4f851f12db92634e56629f0aeef4dba6a8f6c67973fa0d2b13e4b12d044ed81febae5dc212b7c970ef0
- SSDEEP
  
  24576:bUKoN0bUxgGa/pfBHDb+y1HgZaOtgXu+7vv:QK1A6Ca
Score

10^/10

darkcomet latentbot evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotevasionpersistencerattrojanupx

behavioral2

darkcometlatentbotevasionpersistencerattrojanupx

© 2018-2025

Terms | Privacy