darkcomet | ff77277245800b3aa373bc1a9e789014ee50af2450133ae10c1569d84f32b2cf | Triage

Submit
Reports

Overview

overview

Static

static

3

WinLockerBuilder2.exe

windows7-x64

WinLockerBuilder2.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

WinLockerBuilder2.exe
Size

1.7MB
Sample

240818-j5vn5sxcrr
MD5

410fe67a1b89105486140bb30a6b9ca9
SHA1

f8d50097c608da77637977f64e7a48f3da7bc092
SHA256

ff77277245800b3aa373bc1a9e789014ee50af2450133ae10c1569d84f32b2cf
SHA512

94dd01181936b14b3b6d638e3aee8016d8674e0c3d5a1b48c4e8e71d6ac940aeb359eeb29fff4abb16585520d0720de0a56d83a866058e6741d9a052486383e5
SSDEEP

24576:pGYwefQHQnJceBaVvlW1t39AJ4FsnAwtir2CESobryiGzozFg7c:pGYp5uvC9sAwtUH02c

Score

10^/10

darkcomet modiloader guest16 aspackv2 discovery persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

WinLockerBuilder2.exe

Resource

win7-20240708-en

darkcomet modiloader guest16 aspackv2 discovery persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

WinLockerBuilder2.exe

Resource

win10v2004-20240802-en

darkcomet modiloader guest16 aspackv2 discovery persistence rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Targets

- Target
  
  WinLockerBuilder2.exe
- Size
  
  1.7MB
- MD5
  
  410fe67a1b89105486140bb30a6b9ca9
- SHA1
  
  f8d50097c608da77637977f64e7a48f3da7bc092
- SHA256
  
  ff77277245800b3aa373bc1a9e789014ee50af2450133ae10c1569d84f32b2cf
- SHA512
  
  94dd01181936b14b3b6d638e3aee8016d8674e0c3d5a1b48c4e8e71d6ac940aeb359eeb29fff4abb16585520d0720de0a56d83a866058e6741d9a052486383e5
- SSDEEP
  
  24576:pGYwefQHQnJceBaVvlW1t39AJ4FsnAwtir2CESobryiGzozFg7c:pGYp5uvC9sAwtUH02c
Score

10^/10

darkcomet modiloader guest16 aspackv2 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- ModiLoader Second Stage
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometmodiloaderguest16aspackv2discoverypersistencerattrojan

behavioral2

darkcometmodiloaderguest16aspackv2discoverypersistencerattrojan

© 2018-2025

Terms | Privacy