darkcomet | f0991ff0c9379130adfc31152ec55c1925872f0c664ab34df90cb2d730c0bf63 | Triage

Submit
Reports

Overview

overview

Static

static

Virs1.exe

windows7-x64

Virs1.exe

windows10-2004-x64

Sharing

General

Target

Virs1.exe
Size

1.4MB
Sample

241006-mk4m4atdnc
MD5

272ce51163d36007d848281cb03e5fc7
SHA1

2f9b35209bf3d91cf14ca23aee64e31d684e9d26
SHA256

f0991ff0c9379130adfc31152ec55c1925872f0c664ab34df90cb2d730c0bf63
SHA512

955087c98ae98e51351b5c41cc83f39dc23c9f60658791bb3f83c5ba65b82fd601fe457c514dea73aa422f59b1806a55f576c66d52e4b5fec29fefd0f260fe1f
SSDEEP

24576:iZ1xuVVjfFoynPaVBUR8f+kN10EBJw5vgHWjTwAlocaKjyyItHDzY:iQDgok30JrLocaKjGq

Score

10^/10

darkcomet sazan discovery evasion rat trojan

Static task

static1

sazan darkcomet

2 signatures

Behavioral task

behavioral1

Sample

Virs1.exe

Resource

win7-20240903-en

darkcomet sazan discovery evasion rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

Virs1.exe

Resource

win10v2004-20240802-en

darkcomet sazan discovery evasion rat trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

tm6bqni.localto.net:1511

Mutex

DC_MUTEX-8K1U6CF

Attributes

gencode
phCnNGEAkXoi
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  Virs1.exe
- Size
  
  1.4MB
- MD5
  
  272ce51163d36007d848281cb03e5fc7
- SHA1
  
  2f9b35209bf3d91cf14ca23aee64e31d684e9d26
- SHA256
  
  f0991ff0c9379130adfc31152ec55c1925872f0c664ab34df90cb2d730c0bf63
- SHA512
  
  955087c98ae98e51351b5c41cc83f39dc23c9f60658791bb3f83c5ba65b82fd601fe457c514dea73aa422f59b1806a55f576c66d52e4b5fec29fefd0f260fe1f
- SSDEEP
  
  24576:iZ1xuVVjfFoynPaVBUR8f+kN10EBJw5vgHWjTwAlocaKjyyItHDzY:iQDgok30JrLocaKjGq
Score

10^/10

darkcomet sazan discovery evasion rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometsazandiscoveryevasionrattrojan

behavioral2

darkcometsazandiscoveryevasionrattrojan

© 2018-2025

Terms | Privacy