darkcomet | ac8353019c8b7df7ce77d97cd190aae6622c46bc0d403455470861f17676402b | Triage

Submit
Reports

Overview

overview

Static

static

QuikHop.exe

windows7-x64

QuikHop.exe

windows10-2004-x64

Sharing

General

Target

6a9a861f636b7cf17d8440c2c830fba6_JaffaCakes118
Size

1.5MB
Sample

241022-qcntfsyclm
MD5

6a9a861f636b7cf17d8440c2c830fba6
SHA1

a4638e429ef2a946252c8507aa2f892705cab28f
SHA256

ac8353019c8b7df7ce77d97cd190aae6622c46bc0d403455470861f17676402b
SHA512

3dc9bac42867341ab8871eef8a175fe8ebad28ba1ea97b5e7fb5af933e287ca18fdee5c6272507f2f798a604c9850175641c5f266c93058dbceb8f624ffa75cd
SSDEEP

49152:A30sDa8qUdqrjDCGmK1QdW4IOderV/qeoaM:A30Ka35CGPiWvZqeg

Score

10^/10

darkcomet modiloader ratted discovery persistence rat trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

QuikHop.exe

Resource

win7-20240903-en

darkcomet modiloader ratted discovery persistence rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

QuikHop.exe

Resource

win10v2004-20241007-en

darkcomet modiloader ratted discovery persistence rat trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Ratted

C2

xmcheatsrat.no-ip.biz:1604

Mutex

DC_MUTEX-04RAPF7

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
qkAcCD4iH508
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  QuikHop.exe
- Size
  
  1.5MB
- MD5
  
  9d0ad8344ac8d28f3b03c5ec5acac561
- SHA1
  
  17a9cbeff0cb0717df8acea65e45badc71d33e56
- SHA256
  
  ca39c3d120f7ce30a6ba5a5f2b4c9662360413932daa89c74194daaef07600c2
- SHA512
  
  e962359b80dbfed15be2fb37fb18e649bbcc84cbe188738312cdd876ffab2b72ee08c40f7050211d493392457c9ad7eeca6bfb3f2939ee0346784c5055a062d9
- SSDEEP
  
  49152:rJ2D08gkdyrxfC8qKP2D08gkdyrxfC8qK0:rJE09zC8XE09zC8s
Score

10^/10

darkcomet modiloader ratted discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometmodiloaderratteddiscoverypersistencerattrojan

behavioral2

darkcometmodiloaderratteddiscoverypersistencerattrojan

© 2018-2024

Terms | Privacy