darkcomet | 7dc90310298e3d436abb10953908e7d57666270823a9511ac8645aede4d2d410 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

b0627d0748a0e5cbc86b021bd1bb71be_JaffaCakes118
Size

400KB
Sample

240820-xbb7la1elp
MD5

b0627d0748a0e5cbc86b021bd1bb71be
SHA1

fc51e6bfc01f81ac51baeaba55a98e26e23834e5
SHA256

7dc90310298e3d436abb10953908e7d57666270823a9511ac8645aede4d2d410
SHA512

4cab079f7deed510105b50d703c03ce41f19c01b8a095667a09528dcd53d26c1f5753b314e2e0c54ebe6dab08f9f97c5caf75fa5cb99b1255f46e8aa568135b0
SSDEEP

6144:UfA6Rv8jX0N9ImdCQkhk7uIvQdVTkLELuM9BDAoiQ6MsIMtCPzEOcV9U:q1sXmImdCJ7FdFzLuroizJIICPzP

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mohamedmmk.zapto.org:82

Mutex

DC_MUTEX-L1KB0QQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
LN0J2LLsllhH
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  b0627d0748a0e5cbc86b021bd1bb71be_JaffaCakes118
- Size
  
  400KB
- MD5
  
  b0627d0748a0e5cbc86b021bd1bb71be
- SHA1
  
  fc51e6bfc01f81ac51baeaba55a98e26e23834e5
- SHA256
  
  7dc90310298e3d436abb10953908e7d57666270823a9511ac8645aede4d2d410
- SHA512
  
  4cab079f7deed510105b50d703c03ce41f19c01b8a095667a09528dcd53d26c1f5753b314e2e0c54ebe6dab08f9f97c5caf75fa5cb99b1255f46e8aa568135b0
- SSDEEP
  
  6144:UfA6Rv8jX0N9ImdCQkhk7uIvQdVTkLELuM9BDAoiQ6MsIMtCPzEOcV9U:q1sXmImdCJ7FdFzLuroizJIICPzP
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan