darkcomet | 6e3ea5466f4c79238477fae18abb2626dabee07cbff1f9a07e8c0de6f9901ac8 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4825be39eabdc56bda914c52e7f52c6c_JaffaCakes118
Size

236KB
Sample

240715-en5qkaxcmj
MD5

4825be39eabdc56bda914c52e7f52c6c
SHA1

ab12d6a3d8953ae717fa1b0057f455007be21c4d
SHA256

6e3ea5466f4c79238477fae18abb2626dabee07cbff1f9a07e8c0de6f9901ac8
SHA512

87a56b0b94a6dc83b8a8268f01d685a40d72a9cf3723908f1e5d4033b7c3ef8df3d5dd8af244dfc553f76e42b9b03f34f37980f04427d7cb27d147f67ce22445
SSDEEP

6144:emDUj24gqU85IzrFA9NfmDuLpNr5NhWudrWDh:eqUj2LkizrzDujVNhWucD

Score

10^/10

darkcomet bot persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Bot

C2

127.0.0.1:1604

hexrut.dlinkddns.com:1604

Mutex

DC_MUTEX-5Z66KF0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
gsDNLLcH5xMX
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  4825be39eabdc56bda914c52e7f52c6c_JaffaCakes118
- Size
  
  236KB
- MD5
  
  4825be39eabdc56bda914c52e7f52c6c
- SHA1
  
  ab12d6a3d8953ae717fa1b0057f455007be21c4d
- SHA256
  
  6e3ea5466f4c79238477fae18abb2626dabee07cbff1f9a07e8c0de6f9901ac8
- SHA512
  
  87a56b0b94a6dc83b8a8268f01d685a40d72a9cf3723908f1e5d4033b7c3ef8df3d5dd8af244dfc553f76e42b9b03f34f37980f04427d7cb27d147f67ce22445
- SSDEEP
  
  6144:emDUj24gqU85IzrFA9NfmDuLpNr5NhWudrWDh:eqUj2LkizrzDujVNhWucD
Score

10^/10

darkcomet bot persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometbotpersistencerattrojan

behavioral2

darkcometbotpersistencerattrojan