darkcomet | dfca2d1a071f3bf0b62ef2237b66a42cfdd1fc92ee44eb6af3689b1aa885a860 | Triage

Sharing

General

Target

516261b7d57ce536ad93361de49529c3_JaffaCakes118
Size

991KB
Sample

241017-kfegastbnj
MD5

516261b7d57ce536ad93361de49529c3
SHA1

0b31f8cac12c9f1070463ae1ac1f052de99de601
SHA256

dfca2d1a071f3bf0b62ef2237b66a42cfdd1fc92ee44eb6af3689b1aa885a860
SHA512

94bbd6f278873fb14b27f020e6b78764f0e11341dd25e1a3e676eee5ef041830e59173a19ad790bf16bda0d5c5aad30a02659056d373726a411bea7d65ca19f3
SSDEEP

12288:XeztDN2j6/s57dX0VQNfa1tVLRiBRCp4seyqcIXMztjYOCf1miSAwojbEhCsiZl1:ORg+/s5e1HrMc4zS78sspR5nspk39

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

andrejpavlin.no-ip.biz:1727

Mutex

DC_MUTEX-A9FM9RZ

Attributes

gencode
nqXTgZgraX23
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  516261b7d57ce536ad93361de49529c3_JaffaCakes118
- Size
  
  991KB
- MD5
  
  516261b7d57ce536ad93361de49529c3
- SHA1
  
  0b31f8cac12c9f1070463ae1ac1f052de99de601
- SHA256
  
  dfca2d1a071f3bf0b62ef2237b66a42cfdd1fc92ee44eb6af3689b1aa885a860
- SHA512
  
  94bbd6f278873fb14b27f020e6b78764f0e11341dd25e1a3e676eee5ef041830e59173a19ad790bf16bda0d5c5aad30a02659056d373726a411bea7d65ca19f3
- SSDEEP
  
  12288:XeztDN2j6/s57dX0VQNfa1tVLRiBRCp4seyqcIXMztjYOCf1miSAwojbEhCsiZl1:ORg+/s5e1HrMc4zS78sspR5nspk39
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies firewall policy service
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoveryevasionpersistencerattrojan

behavioral2

darkcometguest16discoveryevasionpersistencerattrojan