darkcomet | 803c89efe08eb9dd7dc35bd886818e61ffa82762d75f63c9d2691dd66e703524 | Triage

Sharing

General

Target

1df9fece0dd4500c39dbe9544959a9b7_JaffaCakes118
Size

393KB
Sample

240702-exfg2ayhlk
MD5

1df9fece0dd4500c39dbe9544959a9b7
SHA1

5e3a78348a7c8227324e7c586c9f1705d9f1e042
SHA256

803c89efe08eb9dd7dc35bd886818e61ffa82762d75f63c9d2691dd66e703524
SHA512

0bce0589f10d9c76db128dd74d284fe9708f43099dd7a2827f108a82ac5116f906e4f5fb4c0892f9f00f9aa856dd6b478e9ffc7849e7a25b696aafcf9ca8a9a6
SSDEEP

6144:NcfcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37jNkb/XM3jxNxW0Y0zlVYFAbQ:NcfcW7KEZlPzCy37jNW/XgxNXli3

Score

10^/10

darkcomet latentbot guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

romanticboy.zapto.org:1604

Mutex

DC_MUTEX-DJQBFWY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
lG6FsTBjX2NM
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Extracted

Family

latentbot

C2

romanticboy.zapto.org

Targets

- Target
  
  1df9fece0dd4500c39dbe9544959a9b7_JaffaCakes118
- Size
  
  393KB
- MD5
  
  1df9fece0dd4500c39dbe9544959a9b7
- SHA1
  
  5e3a78348a7c8227324e7c586c9f1705d9f1e042
- SHA256
  
  803c89efe08eb9dd7dc35bd886818e61ffa82762d75f63c9d2691dd66e703524
- SHA512
  
  0bce0589f10d9c76db128dd74d284fe9708f43099dd7a2827f108a82ac5116f906e4f5fb4c0892f9f00f9aa856dd6b478e9ffc7849e7a25b696aafcf9ca8a9a6
- SSDEEP
  
  6144:NcfcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37jNkb/XM3jxNxW0Y0zlVYFAbQ:NcfcW7KEZlPzCy37jNW/XgxNXli3
Score

10^/10

darkcomet latentbot guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotguest16evasionpersistencerattrojan

behavioral2

darkcometlatentbotguest16evasionpersistencerattrojan