darkcomet | 8d70b8dae18b40edcc399a6d12a60b8287983fa236640d5f87063555b204ae2e | Triage

Sharing

General

Target

462ae7aa137af0f8f9fa6dfd1f501350_JaffaCakes118
Size

1.2MB
Sample

241015-gnzwessemk
MD5

462ae7aa137af0f8f9fa6dfd1f501350
SHA1

edde0add37b1efc57c777f3652ffea2a5a99e19d
SHA256

8d70b8dae18b40edcc399a6d12a60b8287983fa236640d5f87063555b204ae2e
SHA512

9c7141c8793a292741c55abb5a0b84fc32eef19265042d8de8a2320abb393c32e5e59ba25f363e14b3135b365b1ba786a701f8778526e240831ad43db76a6f25
SSDEEP

12288:iXYB5R9yEjrOtzU8DE9xvgk1NfuqZBDOEdY/SfX2+/vDGBXkCHDe4M:+YnDjrOGEklgkfBDOEdk6UB0CHDQ

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

localnet.no-ip.biz:1050

Mutex

DC_MUTEX-ZPL439U

Attributes

gencode
GNMmB7CBTkM2
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  462ae7aa137af0f8f9fa6dfd1f501350_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  462ae7aa137af0f8f9fa6dfd1f501350
- SHA1
  
  edde0add37b1efc57c777f3652ffea2a5a99e19d
- SHA256
  
  8d70b8dae18b40edcc399a6d12a60b8287983fa236640d5f87063555b204ae2e
- SHA512
  
  9c7141c8793a292741c55abb5a0b84fc32eef19265042d8de8a2320abb393c32e5e59ba25f363e14b3135b365b1ba786a701f8778526e240831ad43db76a6f25
- SSDEEP
  
  12288:iXYB5R9yEjrOtzU8DE9xvgk1NfuqZBDOEdY/SfX2+/vDGBXkCHDe4M:+YnDjrOGEklgkfBDOEdk6UB0CHDQ
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoveryevasionpersistencerattrojan

behavioral2

darkcometguest16discoveryevasionpersistencerattrojan