darkcomet | cd2425811b7c7828aeb6f8cf4f1abc65bed3afca36add26d77060f982db8e97b | Triage

Sharing

General

Target

4c4826f7709b53371411c6782fe93d2b_JaffaCakes118
Size

1.1MB
Sample

240716-b2zjxssapa
MD5

4c4826f7709b53371411c6782fe93d2b
SHA1

dfa8ff70a8d451c73df9cdb12babd7c9336fbb8e
SHA256

cd2425811b7c7828aeb6f8cf4f1abc65bed3afca36add26d77060f982db8e97b
SHA512

cd69adf8ba2442ca357f8a61250f09e0c0f6451798b9848ef4d606c7a9b050f2b5d38c1c8d7923b2fb6ac5a9b68b0f696f3fed6070171474c8148b70ff0060f4
SSDEEP

24576:enAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpHd9vi:UELbVMTrOq4w

Score

10^/10

darkcomet latentbot rsh evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

RSH

C2

protectiondata.zapto.org:1320

Mutex

DC_MUTEX-70CDJY2

Attributes

InstallPath
RSH\rs.exe
gencode
nUELvpuFDoj6
install
true
offline_keylogger
true
persistence
false
reg_key
RSH

Extracted

Family

latentbot

C2

protectiondata.zapto.org

Targets

- Target
  
  4c4826f7709b53371411c6782fe93d2b_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  4c4826f7709b53371411c6782fe93d2b
- SHA1
  
  dfa8ff70a8d451c73df9cdb12babd7c9336fbb8e
- SHA256
  
  cd2425811b7c7828aeb6f8cf4f1abc65bed3afca36add26d77060f982db8e97b
- SHA512
  
  cd69adf8ba2442ca357f8a61250f09e0c0f6451798b9848ef4d606c7a9b050f2b5d38c1c8d7923b2fb6ac5a9b68b0f696f3fed6070171474c8148b70ff0060f4
- SSDEEP
  
  24576:enAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpHd9vi:UELbVMTrOq4w
Score

10^/10

darkcomet latentbot rsh evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotrshevasionpersistencerattrojan

behavioral2

darkcometlatentbotrshevasionpersistencerattrojan