darkcomet | f018c0d14c1b9ef5421920538e3e0efe33c91fa3bcd7b56fde9252bf0f5b04ef | Triage

Sharing

General

Target

4cc6c28d2beacff83e9f12bfc0120565_JaffaCakes118
Size

708KB
Sample

241016-pdcl5sydnd
MD5

4cc6c28d2beacff83e9f12bfc0120565
SHA1

a1c8e595a6d1ac1043fe50e93d87e883d54a3fdf
SHA256

f018c0d14c1b9ef5421920538e3e0efe33c91fa3bcd7b56fde9252bf0f5b04ef
SHA512

bd8aa7e44c1e780d41af98970073c39fd399145e9cd55d05f69511aa4dcdc6d964844a128c8ea38aab0f9804466c796fec3907186b83cbac68567c035e070fc9
SSDEEP

12288:eIh4EY1awKtBnrtw8bzRpyMObDkeFsB7pyCEbSTiTwRkfy9h4ORA/KjWHZ1dAx9u:eFoXBnpw8bzRhObDkvEbSDKC2UmKaHZd

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

minunip.no-ip.org:99

Mutex

DC_MUTEX-UZ2SU8T

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
zXVjGZvnzDQ0
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Targets

- Target
  
  4cc6c28d2beacff83e9f12bfc0120565_JaffaCakes118
- Size
  
  708KB
- MD5
  
  4cc6c28d2beacff83e9f12bfc0120565
- SHA1
  
  a1c8e595a6d1ac1043fe50e93d87e883d54a3fdf
- SHA256
  
  f018c0d14c1b9ef5421920538e3e0efe33c91fa3bcd7b56fde9252bf0f5b04ef
- SHA512
  
  bd8aa7e44c1e780d41af98970073c39fd399145e9cd55d05f69511aa4dcdc6d964844a128c8ea38aab0f9804466c796fec3907186b83cbac68567c035e070fc9
- SSDEEP
  
  12288:eIh4EY1awKtBnrtw8bzRpyMObDkeFsB7pyCEbSTiTwRkfy9h4ORA/KjWHZ1dAx9u:eFoXBnpw8bzRhObDkvEbSDKC2UmKaHZd
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan