darkcomet | 3a3a40e7ff8413fa854ebcfa806c49b8aca1e5229e9ac1d2b4328b7159656fac | Triage

Sharing

General

Target

e8fca18ed75c135fe91673d2aee177a0_JaffaCakes118
Size

662KB
Sample

240918-naqh6aycmp
MD5

e8fca18ed75c135fe91673d2aee177a0
SHA1

ba1eb6cae9eb724da4d025e5b11670e789a33544
SHA256

3a3a40e7ff8413fa854ebcfa806c49b8aca1e5229e9ac1d2b4328b7159656fac
SHA512

b555e3a99ab5cbe169d24c6b6c13268105d0f24c65b7e07c2d63e0a0dc8bf41ce200de41b4b223c2b805dba93716f3f57876a40b1289002c5965ec47293a834c
SSDEEP

12288:jk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+06:I0QRWoJEfg0oChGdJQbjPbNW5tYeP+GW

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-VS89U65

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
WpWoCtQT9CWw
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  e8fca18ed75c135fe91673d2aee177a0_JaffaCakes118
- Size
  
  662KB
- MD5
  
  e8fca18ed75c135fe91673d2aee177a0
- SHA1
  
  ba1eb6cae9eb724da4d025e5b11670e789a33544
- SHA256
  
  3a3a40e7ff8413fa854ebcfa806c49b8aca1e5229e9ac1d2b4328b7159656fac
- SHA512
  
  b555e3a99ab5cbe169d24c6b6c13268105d0f24c65b7e07c2d63e0a0dc8bf41ce200de41b4b223c2b805dba93716f3f57876a40b1289002c5965ec47293a834c
- SSDEEP
  
  12288:jk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+06:I0QRWoJEfg0oChGdJQbjPbNW5tYeP+GW
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16_mindarkcomet

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2

darkcometguest16_mindiscoverypersistencerattrojan