darkcomet | c2a7156cc2c645df95d6af8f2ee7ace159f3772149213f896bc82d9bc8c7a5d2 | Triage

Sharing

General

Target

4ab17dc92cf4aa8230d6fac5931d9564_JaffaCakes118
Size

2.0MB
Sample

241020-zvzhcasajj
MD5

4ab17dc92cf4aa8230d6fac5931d9564
SHA1

1a2c1029f0baffe08e92373292739d616607fea0
SHA256

c2a7156cc2c645df95d6af8f2ee7ace159f3772149213f896bc82d9bc8c7a5d2
SHA512

56e43b5f9ce4744ea8a4c4568e6234765b6737324122d1fd430db70c2bafd1a81f20d5db5cacb9b631eb4e3b2cc08c031c8b267f954b098791da48e91b4c2654
SSDEEP

49152:IyDIihz4W7kvWDQA0wMe7TtCqNY0Wi7zkxhb:Ij84WAvW10wMe7TtjY01Ix

Score

10^/10

darkcomet guest1 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1

C2

Germanytop.no-ip.org:1604

Mutex

DC_MUTEX-GJGZ65W

Attributes

InstallPath
Local\Temp\wvrss.exe
gencode
cadhLisrwVbS
install
true
offline_keylogger
true
password
sexyadmin
persistence
false
reg_key
WindowsFirewall

Targets

- Target
  
  4ab17dc92cf4aa8230d6fac5931d9564_JaffaCakes118
- Size
  
  2.0MB
- MD5
  
  4ab17dc92cf4aa8230d6fac5931d9564
- SHA1
  
  1a2c1029f0baffe08e92373292739d616607fea0
- SHA256
  
  c2a7156cc2c645df95d6af8f2ee7ace159f3772149213f896bc82d9bc8c7a5d2
- SHA512
  
  56e43b5f9ce4744ea8a4c4568e6234765b6737324122d1fd430db70c2bafd1a81f20d5db5cacb9b631eb4e3b2cc08c031c8b267f954b098791da48e91b4c2654
- SSDEEP
  
  49152:IyDIihz4W7kvWDQA0wMe7TtCqNY0Wi7zkxhb:Ij84WAvW10wMe7TtjY01Ix
Score

10^/10

darkcomet guest1 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest1discoveryevasionpersistencerattrojan

behavioral2

darkcometguest1discoveryevasionpersistencerattrojan