darkcomet | 5732ac20218d329557e17f8babfa74c8ecc5035b2c021d80ec42da75a8c50926 | Triage

Sharing

General

Target

4e80168bcb2673f9fb284d339a1f36be_JaffaCakes118
Size

794KB
Sample

241016-xpmkgswfqb
MD5

4e80168bcb2673f9fb284d339a1f36be
SHA1

55d06c980caf3920a53846dfe106c2e83fe11fae
SHA256

5732ac20218d329557e17f8babfa74c8ecc5035b2c021d80ec42da75a8c50926
SHA512

d12bdb85500d096ba714c2b742ff63da99ff5a2aa69ae23d661c9ab4c9ca8beca458947c813a4c03127b22ef10b9bab5a07c17dcda623021ba4e3526d519e021
SSDEEP

12288:7l6RkwVNVSNW9dDRySO94a29sL1Ni8r1NTTbsTohYWEgRW1ah2M:7wkwVmNW9lBNs5Ni8rXTPsE3LIahR

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

bomido.no-ip.biz:5000

Mutex

DC_MUTEX-QJ5HZQG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
9GXWxSfCCvaS
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  4e80168bcb2673f9fb284d339a1f36be_JaffaCakes118
- Size
  
  794KB
- MD5
  
  4e80168bcb2673f9fb284d339a1f36be
- SHA1
  
  55d06c980caf3920a53846dfe106c2e83fe11fae
- SHA256
  
  5732ac20218d329557e17f8babfa74c8ecc5035b2c021d80ec42da75a8c50926
- SHA512
  
  d12bdb85500d096ba714c2b742ff63da99ff5a2aa69ae23d661c9ab4c9ca8beca458947c813a4c03127b22ef10b9bab5a07c17dcda623021ba4e3526d519e021
- SSDEEP
  
  12288:7l6RkwVNVSNW9dDRySO94a29sL1Ni8r1NTTbsTohYWEgRW1ah2M:7wkwVmNW9lBNs5Ni8rXTPsE3LIahR
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoveryevasionpersistencerattrojan

behavioral2

darkcometguest16discoveryevasionpersistencerattrojan