darkcomet | eb3ece6d6320f505077128076d8e12a99ebc4dc9fcde7094ccf8dcb46059a3b8 | Triage

Sharing

General

Target

3791cbee70a4d9d4f442e7857624d556_JaffaCakes118
Size

245KB
Sample

241012-asp4fsxamp
MD5

3791cbee70a4d9d4f442e7857624d556
SHA1

e31e19aba3e46a456f1468ddb63978b1fabc5204
SHA256

eb3ece6d6320f505077128076d8e12a99ebc4dc9fcde7094ccf8dcb46059a3b8
SHA512

1a1eb010d4c927a3def81d38b0badb0675db3bf57cf976040756bf17d08da806825ac1139978f980b7ca90e61d1ce3f74fc5171d1695912a121bf96e2fa798b2
SSDEEP

6144:gaawXW6wmI7GOdCD9FQDtMMvAvZUyLbFLAXYjq7/u+KD+T:ga+6wXGZFQDtMM4RRljkI+T

Score

10^/10

darkcomet guestnt discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

GuestNT

C2

cndns.minidns.net:1123

Mutex

DC_MUTEX-PQXTHV7

Attributes

InstallPath
NTsoft\NTrat.exe
gencode
ZDyvfnhdmzgr
install
true
offline_keylogger
true
persistence
true
reg_key
NTrat

Targets

- Target
  
  NTrat.exe
- Size
  
  793KB
- MD5
  
  716e2305f98bcfcdf7b6b5834cabe354
- SHA1
  
  4dd31cdbaf110671f78a51eebb7096d1a81cb41b
- SHA256
  
  38d026ed743afc0372aa4abea764d2594d5daa82e06093aef3cf6f29a61b9923
- SHA512
  
  0d018dee698e85340476554f84a66d689d699065541bd493e7e0e2dfead415debe0e3c350389e3d629c006a499ff62a37626a990b84f6b1bb65e3c79a04142b7
- SSDEEP
  
  24576:UZ1xuVVjfFoynPaVBUR8f+kN10EB8h6ey39:0QDgok30fh6ey39
Score

10^/10

darkcomet guestnt discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guestntdarkcomet

behavioral1

darkcometguestntdiscoveryevasionpersistencerattrojan

behavioral2

darkcometguestntdiscoveryevasionpersistencerattrojan