darkcomet | b77e18b1acc022824f5a3056e141918e57946d9cda62ec4c8bb2434c1d5dd6cb | Triage

Sharing

General

Target

9c446de6d14b63ac198ce7b26cbe34a0_JaffaCakes118
Size

937KB
Sample

240816-ayjtmavdlf
MD5

9c446de6d14b63ac198ce7b26cbe34a0
SHA1

cd5d67d7aed102e26909be9780bd4cd7a80d57a0
SHA256

b77e18b1acc022824f5a3056e141918e57946d9cda62ec4c8bb2434c1d5dd6cb
SHA512

84ad1d8b8417ce361b6d78a300a54026491a894bb480cf162a003afea53f055cebd54bf8fb1e43d0b1b3f1e267302e0dd85b4a9a496446c6c40f907a854a51f1
SSDEEP

24576:vnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpD9bNCfL:PELbVMTrOq49OL

Score

10^/10

darkcomet latentbot main discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

MAIN

C2

aditi1rajan.zapto.org:100

Mutex

DC_MUTEX-94XYLM2

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
1pNxuWVLzDfY
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

latentbot

C2

aditi1rajan.zapto.org

Targets

- Target
  
  9c446de6d14b63ac198ce7b26cbe34a0_JaffaCakes118
- Size
  
  937KB
- MD5
  
  9c446de6d14b63ac198ce7b26cbe34a0
- SHA1
  
  cd5d67d7aed102e26909be9780bd4cd7a80d57a0
- SHA256
  
  b77e18b1acc022824f5a3056e141918e57946d9cda62ec4c8bb2434c1d5dd6cb
- SHA512
  
  84ad1d8b8417ce361b6d78a300a54026491a894bb480cf162a003afea53f055cebd54bf8fb1e43d0b1b3f1e267302e0dd85b4a9a496446c6c40f907a854a51f1
- SSDEEP
  
  24576:vnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpD9bNCfL:PELbVMTrOq49OL
Score

10^/10

darkcomet latentbot main discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotmaindiscoveryevasionpersistencerattrojan

behavioral2

darkcometlatentbotmaindiscoveryevasionpersistencerattrojan