darkcomet | d1bd4c50eb5f9720f866793d9062c3596c147588778a1842d4f44af34bfac6be | Triage

Sharing

General

Target

b979020d846ef76746d2c273b7f90af1_JaffaCakes118
Size

802KB
Sample

240822-3dv1dawall
MD5

b979020d846ef76746d2c273b7f90af1
SHA1

e94b6f19fa423e0905ab9a2b9ee61ffcd5cb486a
SHA256

d1bd4c50eb5f9720f866793d9062c3596c147588778a1842d4f44af34bfac6be
SHA512

facc09660611c062427376919becafaf007e62bbf19e73d88dc912e7d770de68c8f37314ed5fe44f7b426ecd93ed59570194f9caab41afb27bc476a504a5d760
SSDEEP

24576:NSABEhmKLM1CioJuYrASHWuZw2uTZNsv75rG0jby:NSABwLxuA/WuG2aIjn6

Score

10^/10

darkcomet latentbot aryan discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Aryan

C2

arcanusmarkus.zapto.org:1604

Mutex

DC_MUTEX-KG5M2GM

Attributes

gencode
F63AR93Wk9PU
install
false
offline_keylogger
true
persistence
false

Extracted

Family

latentbot

C2

arcanusmarkus.zapto.org

Targets

- Target
  
  b979020d846ef76746d2c273b7f90af1_JaffaCakes118
- Size
  
  802KB
- MD5
  
  b979020d846ef76746d2c273b7f90af1
- SHA1
  
  e94b6f19fa423e0905ab9a2b9ee61ffcd5cb486a
- SHA256
  
  d1bd4c50eb5f9720f866793d9062c3596c147588778a1842d4f44af34bfac6be
- SHA512
  
  facc09660611c062427376919becafaf007e62bbf19e73d88dc912e7d770de68c8f37314ed5fe44f7b426ecd93ed59570194f9caab41afb27bc476a504a5d760
- SSDEEP
  
  24576:NSABEhmKLM1CioJuYrASHWuZw2uTZNsv75rG0jby:NSABwLxuA/WuG2aIjn6
Score

10^/10

darkcomet latentbot aryan discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotaryandiscoveryevasionpersistencerattrojanupx

behavioral2

darkcometlatentbotaryandiscoveryevasionpersistencerattrojanupx