darkcomet | fa3f15ee92c063e81a7c10f2257ef6806b68f8836ef38202769a24935fc8253b | Triage

Sharing

General

Target

d58b8a39a413e1cdafe366a2aa8be0bd_JaffaCakes118
Size

1.4MB
Sample

240909-dedeaayanm
MD5

d58b8a39a413e1cdafe366a2aa8be0bd
SHA1

03aff7d12482527cb69db88f0695179ae5e04461
SHA256

fa3f15ee92c063e81a7c10f2257ef6806b68f8836ef38202769a24935fc8253b
SHA512

7037c36586f3c4854110396460bbe7e67ca55d798c8b2260b08307381cf8ee780cbabf8418fe4c0cba0ca20ef12b5b8f78b01e927100d9b3a3dde5c2675e6d7a
SSDEEP

24576:DX60inDv9gGw6gMC9jC6upfF0w8Rp5TKXdeNQNuLswq3fEBIKwdukDT1/YOM4Qcp:gnD2G0e6afqwsp5TKXdqYIsJfSa3ZBlu

Score

10^/10

darkcomet latentbot aaaa606 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

aaaa606

C2

handsomehearteng.zapto.org:1606

Mutex

DC_MUTEX-TXHDLD1

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
W9fRuhVE2qYB
install
true
offline_keylogger
false
password
123456
persistence
false
reg_key
MicroUpdate

Extracted

Family

latentbot

C2

handsomehearteng.zapto.org

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Targets

- Target
  
  d58b8a39a413e1cdafe366a2aa8be0bd_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  d58b8a39a413e1cdafe366a2aa8be0bd
- SHA1
  
  03aff7d12482527cb69db88f0695179ae5e04461
- SHA256
  
  fa3f15ee92c063e81a7c10f2257ef6806b68f8836ef38202769a24935fc8253b
- SHA512
  
  7037c36586f3c4854110396460bbe7e67ca55d798c8b2260b08307381cf8ee780cbabf8418fe4c0cba0ca20ef12b5b8f78b01e927100d9b3a3dde5c2675e6d7a
- SSDEEP
  
  24576:DX60inDv9gGw6gMC9jC6upfF0w8Rp5TKXdeNQNuLswq3fEBIKwdukDT1/YOM4Qcp:gnD2G0e6afqwsp5TKXdqYIsJfSa3ZBlu
Score

10^/10

darkcomet latentbot aaaa606 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotaaaa606discoverypersistencerattrojan

behavioral2

darkcometlatentbotaaaa606discoverypersistencerattrojan