darkcomet | 90258ba478bc7d9e0ac1150bc3c28cf221644938ae1ef57e97e8b9c0a74947ee | Triage

Sharing

General

Target

fc4a04c594d1edfd93f9e8730080f4e4_JaffaCakes118
Size

1.4MB
Sample

240928-pkz11swalk
MD5

fc4a04c594d1edfd93f9e8730080f4e4
SHA1

4e66674709ebcb06ce110c4189e653f8a092e2e1
SHA256

90258ba478bc7d9e0ac1150bc3c28cf221644938ae1ef57e97e8b9c0a74947ee
SHA512

817d16bcf927d08e31daf649ab9ac70351b647474da02aa850ff20302a92aa27bdf2faf067eb93a54076d4de381f58772d26234b37a8ad1e4c62d557fc182c2f
SSDEEP

24576:0F8qFlZv4fHF5baAPpA+n4oSiBBD8Atq2T7sPyPGNv/HsAqp:0uNhBB8iP+0

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

deathradder.us.to:1604

Mutex

DCMIN_MUTEX-G9B1X6X

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
HbJG9pNmfLWq
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  fc4a04c594d1edfd93f9e8730080f4e4_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  fc4a04c594d1edfd93f9e8730080f4e4
- SHA1
  
  4e66674709ebcb06ce110c4189e653f8a092e2e1
- SHA256
  
  90258ba478bc7d9e0ac1150bc3c28cf221644938ae1ef57e97e8b9c0a74947ee
- SHA512
  
  817d16bcf927d08e31daf649ab9ac70351b647474da02aa850ff20302a92aa27bdf2faf067eb93a54076d4de381f58772d26234b37a8ad1e4c62d557fc182c2f
- SSDEEP
  
  24576:0F8qFlZv4fHF5baAPpA+n4oSiBBD8Atq2T7sPyPGNv/HsAqp:0uNhBB8iP+0
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2

darkcometguest16_mindiscoverypersistencerattrojan