darkcomet | 7467389d865089caa1830efa45ba37ff408f723dd0debf0e94d3fe4376aa1408 | Triage

Sharing

General

Target

3216b81f9731256d3fe49c62121990a0_JaffaCakes118
Size

993KB
Sample

241010-2gn6kazfrb
MD5

3216b81f9731256d3fe49c62121990a0
SHA1

31bf55a24ade293b3ea91416a9cfe0d2caa9b1c3
SHA256

7467389d865089caa1830efa45ba37ff408f723dd0debf0e94d3fe4376aa1408
SHA512

7a6ba796d6eb647669596c1402c6f54a265383e30cdb45a896241bb2513881e374ddc065230aaef8c0b572954f50548b52ac63afeda80f6efd1addb6e4529286
SSDEEP

24576:F1CjRNrxmiRwxeFfZMRWn1fObCb4yZQgr:F2NNmvEFOotr6k

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  3216b81f9731256d3fe49c62121990a0_JaffaCakes118
- Size
  
  993KB
- MD5
  
  3216b81f9731256d3fe49c62121990a0
- SHA1
  
  31bf55a24ade293b3ea91416a9cfe0d2caa9b1c3
- SHA256
  
  7467389d865089caa1830efa45ba37ff408f723dd0debf0e94d3fe4376aa1408
- SHA512
  
  7a6ba796d6eb647669596c1402c6f54a265383e30cdb45a896241bb2513881e374ddc065230aaef8c0b572954f50548b52ac63afeda80f6efd1addb6e4529286
- SSDEEP
  
  24576:F1CjRNrxmiRwxeFfZMRWn1fObCb4yZQgr:F2NNmvEFOotr6k
Score

10^/10

darkcomet discovery persistence rat trojan evasion
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoverypersistencerattrojan

behavioral2

darkcometdiscoveryevasionpersistencerattrojan