darkcomet | 702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322 | Triage

Submit
Reports

Overview

overview

Static

static

7

702cf7fee8...2N.exe

windows7-x64

702cf7fee8...2N.exe

windows10-2004-x64

7

Sharing

General

Target

702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322N
Size

1.4MB
Sample

241012-hh3wkayejb
MD5

2757f76e73f89a394adf37eb339e6c70
SHA1

4cc4c9df20096da522837e090df80e64acd9d09c
SHA256

702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322
SHA512

abc0689984c20c7a8d6922ec9403288630dbb0032b6d0e6613579c48d12038e4ac41df6430db4e5608a1bbb44a1cc24f8b8b982a4fa45c29de373fd1c52c8064
SSDEEP

24576:TuqOgwfRJz5LEHyxoR9yLE8QOXXncn5GJMD0QZh9uRcHo8ChYY5nQe:TuqOgYRJzdEH3Senn5WXRcHoD3

Score

10^/10

darkcomet discovery evasion persistence rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322N.exe

Resource

win7-20241010-en

darkcomet discovery evasion persistence rat themida trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322N.exe

Resource

win10v2004-20241007-en

discovery evasion themida

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Targets

- Target
  
  702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322N
- Size
  
  1.4MB
- MD5
  
  2757f76e73f89a394adf37eb339e6c70
- SHA1
  
  4cc4c9df20096da522837e090df80e64acd9d09c
- SHA256
  
  702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322
- SHA512
  
  abc0689984c20c7a8d6922ec9403288630dbb0032b6d0e6613579c48d12038e4ac41df6430db4e5608a1bbb44a1cc24f8b8b982a4fa45c29de373fd1c52c8064
- SSDEEP
  
  24576:TuqOgwfRJz5LEHyxoR9yLE8QOXXncn5GJMD0QZh9uRcHo8ChYY5nQe:TuqOgYRJzdEH3Senn5WXRcHoD3
Score

10^/10

darkcomet discovery evasion persistence rat themida trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistenceratthemidatrojan

behavioral2

discoveryevasionthemida

© 2018-2024

Terms | Privacy