darkcomet | b86d368a102ce764870b2cf2197e48496d91a94e4ab59bc61eecf92d9edba3bf | Triage

Sharing

General

Target

139b0c8c03fc3bd86b5041ef7f34cfc7_JaffaCakes118
Size

1.0MB
Sample

241004-q457ta1glf
MD5

139b0c8c03fc3bd86b5041ef7f34cfc7
SHA1

7956809db231e32d7766011f69f24fe760a730b8
SHA256

b86d368a102ce764870b2cf2197e48496d91a94e4ab59bc61eecf92d9edba3bf
SHA512

8a3fb1e0981fe6518ad7dc9098dd3c840ce2d5724b9b584e93bd66b337b9a7bd3b7498fd6f10d3f23f94450dc6bc1f4799796b44d867a4b4060e1bec8b20b7a0
SSDEEP

24576:aNlCkb9m3NFzLGe4obPDyPzjChH0rqRlvbyhhgIWH:aNZm3ffSobkjChHUqwxWH

Score

10^/10

darkcomet darkcomet discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DarkComet

C2

armedpickler1235.no-ip.biz:200

Mutex

DC_MUTEX-4D3WYFP

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
m7kUMvwZgV2P
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  MW3 Prestige Hack 2012.exe
- Size
  
  1.3MB
- MD5
  
  a30160656f3d8b9db8eb21310b2e5009
- SHA1
  
  ac74646751f8dbc7bcccac8860e759471e2212c7
- SHA256
  
  78cd2433efcd65d483ea4f7fc78557998832ff2048eaee73ed7e9f4744ae9510
- SHA512
  
  80c81d2048371396629891fb4795f977e6122622b66dbe44f0120e298a1b8a8bf47899a8d35384d8fd21355cc9750751100db8b73c934eb0fc1a98d3f344b24c
- SSDEEP
  
  24576:HhqGVu34oC7sgH2O2Vi5mF3jByDk9n3U6nClYtV7qMcJvv66z35vz17Dh4MA9d:HhqkpWBgk9Dn0YfqMcJH66L5BPhy
Score

10^/10

darkcomet darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdarkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdarkcometdiscoveryevasionpersistencerattrojan