darkcomet | 6a95367b492ae4c76fcba7778a7f5bd6a4161840eb44f7f57ac895e2c73f835b | Triage

Submit
Reports

Overview

overview

Static

static

3

45a7e70ef2...18.exe

windows7-x64

45a7e70ef2...18.exe

windows10-2004-x64

Sharing

General

Target

45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118
Size

264KB
Sample

241015-d79cesxank
MD5

45a7e70ef28d9d8504c5bd72ba13f3be
SHA1

573a04603fdc55e04307727dd3816f316b894680
SHA256

6a95367b492ae4c76fcba7778a7f5bd6a4161840eb44f7f57ac895e2c73f835b
SHA512

fb4e701a2944d208a2a9904f894450fa7fb66b40cb7e0f19964866768e62f50569acee4e04c2ecbb8008eaeea122ca62d587f6a31f677f3bb48fa34359fda2eb
SSDEEP

6144:sBDPC5+0V/3U5xifUntIIHFteqMTENVYvKMyHhRE4adf3aGfrfiFOl:sp++0V/3ojtsqMTEsvm4DikbiUl

Score

10^/10

darkcomet discovery evasion persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe

Resource

win7-20240903-en

darkcomet discovery evasion persistence rat trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118.exe

Resource

win10v2004-20241007-en

darkcomet discovery evasion persistence rat trojan upx

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  45a7e70ef28d9d8504c5bd72ba13f3be_JaffaCakes118
- Size
  
  264KB
- MD5
  
  45a7e70ef28d9d8504c5bd72ba13f3be
- SHA1
  
  573a04603fdc55e04307727dd3816f316b894680
- SHA256
  
  6a95367b492ae4c76fcba7778a7f5bd6a4161840eb44f7f57ac895e2c73f835b
- SHA512
  
  fb4e701a2944d208a2a9904f894450fa7fb66b40cb7e0f19964866768e62f50569acee4e04c2ecbb8008eaeea122ca62d587f6a31f677f3bb48fa34359fda2eb
- SSDEEP
  
  6144:sBDPC5+0V/3U5xifUntIIHFteqMTENVYvKMyHhRE4adf3aGfrfiFOl:sp++0V/3ojtsqMTEsvm4DikbiUl
Score

10^/10

darkcomet discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Windows security bypass
  evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojanupx

behavioral2

darkcometdiscoveryevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy