darkcomet | 7ff06f9b3f8fe3f8178fe99ff2a6239f707adf57ce4f5cd15766cdfd818a9ec5 | Triage

Sharing

General

Target

7ff06f9b3f8fe3f8178fe99ff2a6239f707adf57ce4f5cd15766cdfd818a9ec5N
Size

636KB
Sample

241022-ml2vwszgpd
MD5

5d99afdc7eae37f3d3c15d0afe04c6a0
SHA1

00f0e1fb92389422a9e22bffd4a966e980f40990
SHA256

7ff06f9b3f8fe3f8178fe99ff2a6239f707adf57ce4f5cd15766cdfd818a9ec5
SHA512

521919f61c1e74e881dbbcd86f8dbc2f6e3da62249b33cf5e4d2071c4eef3c9104743c50e319daad9629a4afb6953108ec776933ae13a1df551438997ccc82a5
SSDEEP

12288:/pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/W:xwAcu99lPzvxP+Bsz2XjWTRMQckkIXne

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  7ff06f9b3f8fe3f8178fe99ff2a6239f707adf57ce4f5cd15766cdfd818a9ec5N
- Size
  
  636KB
- MD5
  
  5d99afdc7eae37f3d3c15d0afe04c6a0
- SHA1
  
  00f0e1fb92389422a9e22bffd4a966e980f40990
- SHA256
  
  7ff06f9b3f8fe3f8178fe99ff2a6239f707adf57ce4f5cd15766cdfd818a9ec5
- SHA512
  
  521919f61c1e74e881dbbcd86f8dbc2f6e3da62249b33cf5e4d2071c4eef3c9104743c50e319daad9629a4afb6953108ec776933ae13a1df551438997ccc82a5
- SSDEEP
  
  12288:/pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/W:xwAcu99lPzvxP+Bsz2XjWTRMQckkIXne
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdiscoveryevasionpersistencerattrojan