darkcomet | fb29ae21d3f271f495910d64c472a441da768020c7899905a56480a0c1c5cf8d | Triage

Sharing

General

Target

4564fe3b9e93dfb3ba38c197125dabda_JaffaCakes118
Size

758KB
Sample

241015-c1ptrszdqc
MD5

4564fe3b9e93dfb3ba38c197125dabda
SHA1

e8f3ac2006acc773dd4d66d2cd62bbee7389ac2d
SHA256

fb29ae21d3f271f495910d64c472a441da768020c7899905a56480a0c1c5cf8d
SHA512

3681a3090f5d73268462f27d97697bd9598216d1320616f7184219a6212ae7f071765ef374bfac039bcf69019712024acec96f69ad819804ba5ca0d8cc936af3
SSDEEP

12288:+XhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Up:gnAw2WWeFcfbP9VPSPMTSPL/rWvzq4J5

Score

10^/10

darkcomet hp discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

hp

C2

youngmomi.servemp3.com:1604

Mutex

DC_MUTEX-9G7UWDF

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
puTVGGfMmnsa
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  4564fe3b9e93dfb3ba38c197125dabda_JaffaCakes118
- Size
  
  758KB
- MD5
  
  4564fe3b9e93dfb3ba38c197125dabda
- SHA1
  
  e8f3ac2006acc773dd4d66d2cd62bbee7389ac2d
- SHA256
  
  fb29ae21d3f271f495910d64c472a441da768020c7899905a56480a0c1c5cf8d
- SHA512
  
  3681a3090f5d73268462f27d97697bd9598216d1320616f7184219a6212ae7f071765ef374bfac039bcf69019712024acec96f69ad819804ba5ca0d8cc936af3
- SSDEEP
  
  12288:+XhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Up:gnAw2WWeFcfbP9VPSPMTSPL/rWvzq4J5
Score

10^/10

darkcomet hp discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethpdiscoveryevasionpersistencerattrojan

behavioral2

darkcomethpdiscoveryevasionpersistencerattrojan