darkcomet | f325a078aaa41aaf0c5f619dd2b6d9d1e4fb9837cc54aa2ab71c88aae95580db | Triage

Sharing

Copy URL Twitter E-mail

General

Target

0d37824cb0dc10df2966d847302e3134_JaffaCakes118
Size

12.3MB
Sample

241003-bef43azekb
MD5

0d37824cb0dc10df2966d847302e3134
SHA1

e163829ff705fb291800039cd76329c4d5d89787
SHA256

f325a078aaa41aaf0c5f619dd2b6d9d1e4fb9837cc54aa2ab71c88aae95580db
SHA512

81be17af1314fa34e5154e3e12ee53cf50c23b6fa8054656b181a570da0212f1696aa24d85bbce06d2d48a57e6fffc7d512bf28d5b2a7e74bb2c76859fff38c5
SSDEEP

393216:JEgHFEEvurJSPUObk/q40p+iZKdwmJRXe08AxWouRlRSDxl49:CIFEEvurJSPUObk/q40p+iZkwmJRX981

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

activatedmasric.no-ip.info:4899

Mutex

DC_MUTEX-61V7TCV

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
9HHCTuEUFRd0
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  0d37824cb0dc10df2966d847302e3134_JaffaCakes118
- Size
  
  12.3MB
- MD5
  
  0d37824cb0dc10df2966d847302e3134
- SHA1
  
  e163829ff705fb291800039cd76329c4d5d89787
- SHA256
  
  f325a078aaa41aaf0c5f619dd2b6d9d1e4fb9837cc54aa2ab71c88aae95580db
- SHA512
  
  81be17af1314fa34e5154e3e12ee53cf50c23b6fa8054656b181a570da0212f1696aa24d85bbce06d2d48a57e6fffc7d512bf28d5b2a7e74bb2c76859fff38c5
- SSDEEP
  
  393216:JEgHFEEvurJSPUObk/q40p+iZKdwmJRXe08AxWouRlRSDxl49:CIFEEvurJSPUObk/q40p+iZkwmJRX981
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan