darkcomet | e04e6b24ecce5a89b75aad9da48f41f816754c732a2a0e76b9e90a45ea65f650 | Triage

Submit
Reports

Overview

overview

Static

static

a4bbbebd9b...18.exe

windows7-x64

a4bbbebd9b...18.exe

windows10-2004-x64

Sharing

General

Target

a4bbbebd9bb26f02a0a7bb7092ac3d06_JaffaCakes118
Size

389KB
Sample

240818-a1rbgswclh
MD5

a4bbbebd9bb26f02a0a7bb7092ac3d06
SHA1

687d705f948a9b7b430a4249eda0544d4b1de676
SHA256

e04e6b24ecce5a89b75aad9da48f41f816754c732a2a0e76b9e90a45ea65f650
SHA512

677dbf0de3d161a97a338989db1403972e0d2e796f8390bfb49969c6ae078230bb83fa9da2b6fd9257aca83ca7d84b2bcda8ab3897e388e661c2baaf2e06bfd1
SSDEEP

6144:BFRaI2EqBP/WsZL1PgLl4w0AidVym0EnarUBYVsceh0EUwUDLDv:TR72EqluswR45JTnaEY2Punwyvv

Score

10^/10

darkcomet latentbot defense_evasion discovery evasion persistence rat trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

a4bbbebd9bb26f02a0a7bb7092ac3d06_JaffaCakes118.exe

Resource

win7-20240708-en

darkcomet latentbot defense_evasion discovery evasion persistence rat trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

a4bbbebd9bb26f02a0a7bb7092ac3d06_JaffaCakes118.exe

Resource

win10v2004-20240802-en

darkcomet latentbot defense_evasion discovery evasion persistence rat trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

latentbot

C2

backdoor2012.zapto.org

Targets

- Target
  
  a4bbbebd9bb26f02a0a7bb7092ac3d06_JaffaCakes118
- Size
  
  389KB
- MD5
  
  a4bbbebd9bb26f02a0a7bb7092ac3d06
- SHA1
  
  687d705f948a9b7b430a4249eda0544d4b1de676
- SHA256
  
  e04e6b24ecce5a89b75aad9da48f41f816754c732a2a0e76b9e90a45ea65f650
- SHA512
  
  677dbf0de3d161a97a338989db1403972e0d2e796f8390bfb49969c6ae078230bb83fa9da2b6fd9257aca83ca7d84b2bcda8ab3897e388e661c2baaf2e06bfd1
- SSDEEP
  
  6144:BFRaI2EqBP/WsZL1PgLl4w0AidVym0EnarUBYVsceh0EUwUDLDv:TR72EqluswR45JTnaEY2Punwyvv
Score

10^/10

darkcomet latentbot defense_evasion discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotdefense_evasiondiscoveryevasionpersistencerattrojanupx

behavioral2

darkcometlatentbotdefense_evasiondiscoveryevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy