darkcomet | b8ccb4159470c7b369aad2e32b55011b02e47a4120735bc19cc9efe523ec7007 | Triage

Sharing

General

Target

3c752bb5a4ddace05418a61b12820a2c_JaffaCakes118
Size

1.0MB
Sample

241012-2wbh1swcmb
MD5

3c752bb5a4ddace05418a61b12820a2c
SHA1

c9c818bf8a0247e89aaffe4f5a13655eb7e28680
SHA256

b8ccb4159470c7b369aad2e32b55011b02e47a4120735bc19cc9efe523ec7007
SHA512

92725cd9be489bca3a2b37cb5d98f9317bd75c0664453b8e6cfe079ab36a7f896ebb6c580e234a931e1f1b76059e4af4d08e4338cd244ed87ed523e23592e299
SSDEEP

12288:8nI9QX7d6RJR3QtMuCRcRqzk9443WFP80rUGiPubup0hjHXstzrv0eKu1q5zp/7m:8Ioh6h3QCuoz3YC44qpqe3Jfo1p/71o

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

rudras.no-ip.org:1704

Mutex

X38A4LN

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Uo8HBMcP92Nj
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  3c752bb5a4ddace05418a61b12820a2c_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  3c752bb5a4ddace05418a61b12820a2c
- SHA1
  
  c9c818bf8a0247e89aaffe4f5a13655eb7e28680
- SHA256
  
  b8ccb4159470c7b369aad2e32b55011b02e47a4120735bc19cc9efe523ec7007
- SHA512
  
  92725cd9be489bca3a2b37cb5d98f9317bd75c0664453b8e6cfe079ab36a7f896ebb6c580e234a931e1f1b76059e4af4d08e4338cd244ed87ed523e23592e299
- SSDEEP
  
  12288:8nI9QX7d6RJR3QtMuCRcRqzk9443WFP80rUGiPubup0hjHXstzrv0eKu1q5zp/7m:8Ioh6h3QCuoz3YC44qpqe3Jfo1p/71o
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoveryevasionpersistencerattrojan

behavioral2