darkcomet | e0b17abe31aeccd2ecd31c1ff7d2276f0a27b2b04d060e7555a3c0589ff08be4 | Triage

Sharing

General

Target

5ca4b78f414036b4bf34bc8de3947318_JaffaCakes118
Size

4.0MB
Sample

241019-pq7ytawcnh
MD5

5ca4b78f414036b4bf34bc8de3947318
SHA1

6f3b3802691384a3c1bfa55489ca03f5541e8683
SHA256

e0b17abe31aeccd2ecd31c1ff7d2276f0a27b2b04d060e7555a3c0589ff08be4
SHA512

e84a9ffd5901d55b457b2d6dd03ad1bc829cdd3fb3e67b26238d94e7b4c99636f7e399d56de2f87ab970d9ef39df5a0b10af0eea4d39b0b7a811cb0f1b838e66
SSDEEP

98304:o/nqPXevmgbSwFDWwuJvTx/qzaRQVbEZTubdS2NdQqVh:o/qXXwFDTuJvT0m+bEtubQ

Score

10^/10

darkcomet renner discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Renner

C2

tutoriais157.no-ip.org:1604

Mutex

DC_MUTEX-XXCP2CL

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
i2mVQTZrqSxh
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  5ca4b78f414036b4bf34bc8de3947318_JaffaCakes118
- Size
  
  4.0MB
- MD5
  
  5ca4b78f414036b4bf34bc8de3947318
- SHA1
  
  6f3b3802691384a3c1bfa55489ca03f5541e8683
- SHA256
  
  e0b17abe31aeccd2ecd31c1ff7d2276f0a27b2b04d060e7555a3c0589ff08be4
- SHA512
  
  e84a9ffd5901d55b457b2d6dd03ad1bc829cdd3fb3e67b26238d94e7b4c99636f7e399d56de2f87ab970d9ef39df5a0b10af0eea4d39b0b7a811cb0f1b838e66
- SSDEEP
  
  98304:o/nqPXevmgbSwFDWwuJvTx/qzaRQVbEZTubdS2NdQqVh:o/qXXwFDTuJvT0m+bEtubQ
Score

10^/10

darkcomet renner discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometrennerdiscoveryevasionpersistencerattrojan

behavioral2

darkcometrennerdiscoveryevasionpersistencerattrojan