darkcomet | a7e8eccf72d7f433cbe460d7b986b9044cbe4152a37717464c22cc5627997a43 | Triage

Submit
Reports

Overview

overview

Static

static

7

ad80fab1b6...18.exe

windows7-x64

ad80fab1b6...18.exe

windows10-2004-x64

Sharing

General

Target

ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118
Size

3.0MB
Sample

240820-cm1dcasepn
MD5

ad80fab1b61eedd00adda7872a1b81f8
SHA1

ab5ce17152b8363686e95f30bdc3adebe6976abe
SHA256

a7e8eccf72d7f433cbe460d7b986b9044cbe4152a37717464c22cc5627997a43
SHA512

6fb3ff62aaf54cb11a5ba8a4eea3255aecbca4c08169892a640182e0aad428b1a1f90361123f9d4b39d0640bc3497a94b00575bbad62b4dfd2221548b596b7c6
SSDEEP

98304:bE3AkV49N65xEfyoc0GS+pkowEbUw6k8ZDz5:nkV49AxUyopGS+plwkUwSZz5

Score

10^/10

darkcomet latentbot guest16 discovery persistence rat trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe

Resource

win7-20240704-en

darkcomet latentbot guest16 discovery persistence rat trojan upx

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118.exe

Resource

win10v2004-20240802-en

darkcomet latentbot guest16 discovery persistence rat trojan upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

medoseleman.zapto.org:1604

Mutex

DC_MUTEX-YJYEBPK

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
tQiKsS04Yhz9
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

latentbot

C2

medoseleman.zapto.org

Targets

- Target
  
  ad80fab1b61eedd00adda7872a1b81f8_JaffaCakes118
- Size
  
  3.0MB
- MD5
  
  ad80fab1b61eedd00adda7872a1b81f8
- SHA1
  
  ab5ce17152b8363686e95f30bdc3adebe6976abe
- SHA256
  
  a7e8eccf72d7f433cbe460d7b986b9044cbe4152a37717464c22cc5627997a43
- SHA512
  
  6fb3ff62aaf54cb11a5ba8a4eea3255aecbca4c08169892a640182e0aad428b1a1f90361123f9d4b39d0640bc3497a94b00575bbad62b4dfd2221548b596b7c6
- SSDEEP
  
  98304:bE3AkV49N65xEfyoc0GS+pkowEbUw6k8ZDz5:nkV49AxUyopGS+plwkUwSZz5
Score

10^/10

darkcomet latentbot guest16 discovery persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotguest16discoverypersistencerattrojanupx

behavioral2

darkcometlatentbotguest16discoverypersistencerattrojanupx

© 2018-2024

Terms | Privacy