darkcomet | f11feb67029da1a2d4d32d9ef5a0c29736b8cfcc5e45663e556896c3cfb2b8ea | Triage

Sharing

General

Target

6d6e71da458aad967f2d4a11d022d562_JaffaCakes118
Size

658KB
Sample

241023-gwm7lavcph
MD5

6d6e71da458aad967f2d4a11d022d562
SHA1

1262a634ebb288c9fa493fd62278581e2f8490b7
SHA256

f11feb67029da1a2d4d32d9ef5a0c29736b8cfcc5e45663e556896c3cfb2b8ea
SHA512

2d6831aa0cf303ad51a2b781c16af6bd1b902912d096094b5ab05ef4f020ec53d893c94ec256b0d992f89367ecf88edcc4e01a92ad03e4c6a703b9297dbc632e
SSDEEP

12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h8:KZ1xuVVjfFoynPaVBUR8f+kN10EBu

Score

10^/10

darkcomet serveur discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

serveur

C2

geek.no-ip.biz:200

Mutex

DC_MUTEX-TAZNVNN

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
GFY04QAoSYCB
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Targets

- Target
  
  6d6e71da458aad967f2d4a11d022d562_JaffaCakes118
- Size
  
  658KB
- MD5
  
  6d6e71da458aad967f2d4a11d022d562
- SHA1
  
  1262a634ebb288c9fa493fd62278581e2f8490b7
- SHA256
  
  f11feb67029da1a2d4d32d9ef5a0c29736b8cfcc5e45663e556896c3cfb2b8ea
- SHA512
  
  2d6831aa0cf303ad51a2b781c16af6bd1b902912d096094b5ab05ef4f020ec53d893c94ec256b0d992f89367ecf88edcc4e01a92ad03e4c6a703b9297dbc632e
- SSDEEP
  
  12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h8:KZ1xuVVjfFoynPaVBUR8f+kN10EBu
Score

10^/10

darkcomet serveur discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

serveurdarkcomet

behavioral1

darkcometserveurdiscoveryevasionpersistencerattrojan

behavioral2

darkcometserveurdiscoveryevasionpersistencerattrojan