darkcomet | d067eb6f1e71610b17e8c2f04e4aabc5a8dcac2f45f0f1b7c2e513f8f0aeccef | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

a00fb30162...18.exe

windows7-x64

a00fb30162...18.exe

windows10-2004-x64

7

Sharing

General

Target

a00fb301627569c02a6049948edfa4f4_JaffaCakes118
Size

2.5MB
Sample

240816-1ncwfaserk
MD5

a00fb301627569c02a6049948edfa4f4
SHA1

876cd672502a32f935b3d74c0709c7ab18d007c0
SHA256

d067eb6f1e71610b17e8c2f04e4aabc5a8dcac2f45f0f1b7c2e513f8f0aeccef
SHA512

fa9778c1b0ef8881b0e6b0c05b48210873b8d329675c947560a23aa74391190e8fac82c379635312fc6a4c070c3f3ec53b82315b2bb0a3d9b3238f77e502fa0d
SSDEEP

49152:Q2ZTGLeCbvW9giG81t6wlK2qinPu6cxyo7POaf/K601R:Q2EViZtt0iPu/oo7POx

Score

10^/10

darkcomet latentbot discovery evasion persistence rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

a00fb301627569c02a6049948edfa4f4_JaffaCakes118.exe

Resource

win7-20240704-en

darkcomet latentbot discovery evasion persistence rat themida trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

a00fb301627569c02a6049948edfa4f4_JaffaCakes118.exe

Resource

win10v2004-20240802-en

discovery evasion themida

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

latentbot

C2

interbarcellona.zapto.org

Targets

- Target
  
  a00fb301627569c02a6049948edfa4f4_JaffaCakes118
- Size
  
  2.5MB
- MD5
  
  a00fb301627569c02a6049948edfa4f4
- SHA1
  
  876cd672502a32f935b3d74c0709c7ab18d007c0
- SHA256
  
  d067eb6f1e71610b17e8c2f04e4aabc5a8dcac2f45f0f1b7c2e513f8f0aeccef
- SHA512
  
  fa9778c1b0ef8881b0e6b0c05b48210873b8d329675c947560a23aa74391190e8fac82c379635312fc6a4c070c3f3ec53b82315b2bb0a3d9b3238f77e502fa0d
- SSDEEP
  
  49152:Q2ZTGLeCbvW9giG81t6wlK2qinPu6cxyo7POaf/K601R:Q2EViZtt0iPu/oo7POx
Score

10^/10

darkcomet latentbot discovery evasion persistence rat themida trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotdiscoveryevasionpersistenceratthemidatrojan

behavioral2

discoveryevasionthemida

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.