darkcomet | 284a8d0f09ac22db469439e098d0bc6706bc96c7cf68ccbb5ef35534b62ff821 | Triage

Sharing

General

Target

6d07952bb7955a0e3843ad6682ab44fc_JaffaCakes118
Size

853KB
Sample

241023-efbshs1fmn
MD5

6d07952bb7955a0e3843ad6682ab44fc
SHA1

1ee6ae4d8c17cda36cbeee34748d6fb56080ba01
SHA256

284a8d0f09ac22db469439e098d0bc6706bc96c7cf68ccbb5ef35534b62ff821
SHA512

2b4ab8fc089ab29275409fc0583a4b02808ec584ee3a19e3c302583c9870bd137eb57e71e48661e5fd9f5fda8b626e102c3b910afeff580e7eb228fc393ad7d4
SSDEEP

12288:1tDG20jqd59c8av2ueqYsYsyIDnX3ZUUS+A35Zg1hqizLXICiii:1tD4jkTcR2u9lLDnXuTV35O1hqCkCfi

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

pritt48.no-ip.biz:1604

Mutex

DCMIN_MUTEX-2MNRTS6

Attributes

gencode
jPjyKEUnTaAk
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  6d07952bb7955a0e3843ad6682ab44fc_JaffaCakes118
- Size
  
  853KB
- MD5
  
  6d07952bb7955a0e3843ad6682ab44fc
- SHA1
  
  1ee6ae4d8c17cda36cbeee34748d6fb56080ba01
- SHA256
  
  284a8d0f09ac22db469439e098d0bc6706bc96c7cf68ccbb5ef35534b62ff821
- SHA512
  
  2b4ab8fc089ab29275409fc0583a4b02808ec584ee3a19e3c302583c9870bd137eb57e71e48661e5fd9f5fda8b626e102c3b910afeff580e7eb228fc393ad7d4
- SSDEEP
  
  12288:1tDG20jqd59c8av2ueqYsYsyIDnX3ZUUS+A35Zg1hqizLXICiii:1tD4jkTcR2u9lLDnXuTV35O1hqCkCfi
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2

darkcometguest16_mindiscoverypersistencerattrojan