darkcomet | d285ad1d4bbdf4e63a80afcea9679561315a933db01940e5d9c7bea819b8a9f0 | Triage

Submit
Reports

Overview

overview

Static

static

3

68fe59e170...18.exe

windows7-x64

68fe59e170...18.exe

windows10-2004-x64

7

Sharing

General

Target

68fe59e1702507aabe092580c728027d_JaffaCakes118
Size

1.0MB
Sample

241022-fjjg7sycqd
MD5

68fe59e1702507aabe092580c728027d
SHA1

63d18dce3c525b1d35fbcd23608db8a24c2a03ba
SHA256

d285ad1d4bbdf4e63a80afcea9679561315a933db01940e5d9c7bea819b8a9f0
SHA512

b13be73f92b3e480e3beca94b88c7ab308929f95caac06b0ef17c647ab0e14dd567318c1fd265669d78a2fd7442ff266907f475ff68f0464a1ba67c4fdeae0ab
SSDEEP

24576:WNwxr6srakqFXtpXHmjl1HJbmXg6nU6YL12wv44Z7IhHP:WNS3qFXbmjbHJhfL1n4Thv

Score

10^/10

darkcomet äôæý discovery evasion persistence rat themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

68fe59e1702507aabe092580c728027d_JaffaCakes118.exe

Resource

win7-20241010-en

darkcomet äôæý discovery evasion persistence rat themida trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

68fe59e1702507aabe092580c728027d_JaffaCakes118.exe

Resource

win10v2004-20241007-en

discovery evasion themida

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

äÔæÝ

C2

ogdd.servemp3.com:4433

Mutex

DC_MUTEX-GT7237V

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ocTuHz4stNPx
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  68fe59e1702507aabe092580c728027d_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  68fe59e1702507aabe092580c728027d
- SHA1
  
  63d18dce3c525b1d35fbcd23608db8a24c2a03ba
- SHA256
  
  d285ad1d4bbdf4e63a80afcea9679561315a933db01940e5d9c7bea819b8a9f0
- SHA512
  
  b13be73f92b3e480e3beca94b88c7ab308929f95caac06b0ef17c647ab0e14dd567318c1fd265669d78a2fd7442ff266907f475ff68f0464a1ba67c4fdeae0ab
- SSDEEP
  
  24576:WNwxr6srakqFXtpXHmjl1HJbmXg6nU6YL12wv44Z7IhHP:WNS3qFXbmjbHJhfL1n4Thv
Score

10^/10

darkcomet äôæý discovery evasion persistence rat themida trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometäôæýdiscoveryevasionpersistenceratthemidatrojan

behavioral2

discoveryevasionthemida

© 2018-2024

Terms | Privacy