darkcomet | 9afc2d3b01741283283f9f22e7c5aed1fd5fa2a20bb12dfa6b64563c7b1bb2a4 | Triage

Sharing

General

Target

3f878e6f30a537b1566243859cb6a1e8_JaffaCakes118
Size

2.8MB
Sample

241013-ncmkaaybnl
MD5

3f878e6f30a537b1566243859cb6a1e8
SHA1

6f827a4ddf57229ccc4b325e216d417ba78787bc
SHA256

9afc2d3b01741283283f9f22e7c5aed1fd5fa2a20bb12dfa6b64563c7b1bb2a4
SHA512

09fbe26e5a5a87404870cf519929e277efad4cff6ca2d95c14c4c0be920a2eadfc3f1146f4bb570a319dce257fd4aa89dca6d5a258a137d2b38feadfccfd35f1
SSDEEP

24576:v/1BldFQP8PSB6WrbK9OWPLJwykhXPEdn1GaOEy47E:VBLPTubK9PeyKXMdn0aOcE

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  Drive.SnapShot.v1.40.15293.Keymaker.ONLY-ZWT [Keygen].exe
- Size
  
  2.8MB
- MD5
  
  b829c36266c4242c1c0d0418c1d2e924
- SHA1
  
  00b33c6d3db8c8dd32d0f8dd0727c7078e5145fd
- SHA256
  
  2323d6f575de464693987c055dfa29089b3a6e4f8f81f96497315b7cc1a5f024
- SHA512
  
  4f5171be5103a8d6fa2fc95d2dc50ffb5556b8941cc5ce8ca102560e3bd54f1b78560082afddc9aae4a6340b546050552102574739fb693e4f9a4e1be62c76c1
- SSDEEP
  
  24576:K/1BldFQP8PSB6WrbK9OWPLJwykhXPEdn1GaOEy:0BLPTubK9PeyKXMdn0aO
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdiscoveryevasionpersistencerattrojan