darkcomet | fdc0862a8406ebbcbbf4f093602f275a5f88cc2d88940d115e6108504c21b1f4 | Triage

Sharing

General

Target

a8a0a65f58409fe0ef9772c830e229b9_JaffaCakes118
Size

812KB
Sample

240818-3axd2atdmq
MD5

a8a0a65f58409fe0ef9772c830e229b9
SHA1

adea21e5abb3f823b06ad50a4bd02398fc3f6ad5
SHA256

fdc0862a8406ebbcbbf4f093602f275a5f88cc2d88940d115e6108504c21b1f4
SHA512

24f809b5e84c2f48c0df790c4edd3353b260892b802224a1cb36c855a9d02659ab72ac44b5aafb2301ffabc28ec7476812ffdf528b8f1b7c824595bb3cb5db7e
SSDEEP

24576:761Z3lQXuEZ9AxqSx30RiwToA2XqM1+2Xqp3:70lQVZFSx30Rin5ZFXu

Score

10^/10

darkcomet latentbot guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

medoseleman.zapto.org:1604

Mutex

DC_MUTEX-5ZYX353

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
xgYRCgeFqwAg
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

latentbot

C2

medoseleman.zapto.org

Targets

- Target
  
  a8a0a65f58409fe0ef9772c830e229b9_JaffaCakes118
- Size
  
  812KB
- MD5
  
  a8a0a65f58409fe0ef9772c830e229b9
- SHA1
  
  adea21e5abb3f823b06ad50a4bd02398fc3f6ad5
- SHA256
  
  fdc0862a8406ebbcbbf4f093602f275a5f88cc2d88940d115e6108504c21b1f4
- SHA512
  
  24f809b5e84c2f48c0df790c4edd3353b260892b802224a1cb36c855a9d02659ab72ac44b5aafb2301ffabc28ec7476812ffdf528b8f1b7c824595bb3cb5db7e
- SSDEEP
  
  24576:761Z3lQXuEZ9AxqSx30RiwToA2XqM1+2Xqp3:70lQVZFSx30Rin5ZFXu
Score

10^/10

darkcomet latentbot guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotguest16discoverypersistencerattrojan

behavioral2

darkcometlatentbotguest16discoverypersistencerattrojan