darkcomet | ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae | Triage

Sharing

General

Target

24ce711ea3798396150d70df3184fdbb_JaffaCakes118
Size

2.5MB
Sample

241008-yy349swaje
MD5

24ce711ea3798396150d70df3184fdbb
SHA1

d339a73736b7dd931419b56898aeb8cb373cc1e8
SHA256

ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae
SHA512

8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd
SSDEEP

49152:ZeOYNw8+Cu9ifT5KzyrOTFfoPebTxc4w6SkNB9SEruYtUs72/eS:ZjtoVKzyrONoPMqkNBUErBtUs72eS

Score

10^/10

darkcomet latentbot hydra antivirüs discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hydra Antivirüs

C2

127.0.0.1:1604

hydrahydra1907.zapto.org:1604

Mutex

DC_MUTEX-F1THYT4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
fDsHmDftmeEj
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

latentbot

C2

hydrahydra1907.zapto.org

Targets

- Target
  
  24ce711ea3798396150d70df3184fdbb_JaffaCakes118
- Size
  
  2.5MB
- MD5
  
  24ce711ea3798396150d70df3184fdbb
- SHA1
  
  d339a73736b7dd931419b56898aeb8cb373cc1e8
- SHA256
  
  ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae
- SHA512
  
  8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd
- SSDEEP
  
  49152:ZeOYNw8+Cu9ifT5KzyrOTFfoPebTxc4w6SkNB9SEruYtUs72/eS:ZjtoVKzyrONoPMqkNBUErBtUs72eS
Score

10^/10

darkcomet latentbot hydra antivirüs discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbothydra antivirüsdiscoveryevasionpersistencerattrojan

behavioral2

darkcometlatentbothydra antivirüsdiscoveryevasionpersistencerattrojan