darkcomet | b41f5d22552ebb322c71f0eeb7d50092076cf2909aad2b7600b62c2189faf6a5 | Triage

Sharing

General

Target

703d925fc6a6f241142e8f1bb4b6fc32_JaffaCakes118
Size

758KB
Sample

241023-wz74hawcqk
MD5

703d925fc6a6f241142e8f1bb4b6fc32
SHA1

fc13ff6c6850e2899279b88c50a3f0171b78c40a
SHA256

b41f5d22552ebb322c71f0eeb7d50092076cf2909aad2b7600b62c2189faf6a5
SHA512

836c5970ce4f62ca201141a38188c072779d154845b5ac11ea4b3b0cb7ced7634d2f6755623a4f3dfb58a641bdff0c146b07d5f3755bdecc1b9e9f860a1c7c38
SSDEEP

12288:uXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452U2:wnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jm

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

213.140.194.52:1604

Mutex

DC_MUTEX-0WX3EPZ

Attributes

InstallPath
update\msdcsc.exe
gencode
MutLvZKoeehX
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  703d925fc6a6f241142e8f1bb4b6fc32_JaffaCakes118
- Size
  
  758KB
- MD5
  
  703d925fc6a6f241142e8f1bb4b6fc32
- SHA1
  
  fc13ff6c6850e2899279b88c50a3f0171b78c40a
- SHA256
  
  b41f5d22552ebb322c71f0eeb7d50092076cf2909aad2b7600b62c2189faf6a5
- SHA512
  
  836c5970ce4f62ca201141a38188c072779d154845b5ac11ea4b3b0cb7ced7634d2f6755623a4f3dfb58a641bdff0c146b07d5f3755bdecc1b9e9f860a1c7c38
- SSDEEP
  
  12288:uXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452U2:wnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jm
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan