darkcomet | c60d84e06944cfe3219b64107d04608960a4fc2cf6abe4763f13bb1fa46903d7 | Triage

Sharing

General

Target

75b7e4f3b01e4cd62a83ed1aca10e497_JaffaCakes118
Size

503KB
Sample

241025-b6zqgs1hna
MD5

75b7e4f3b01e4cd62a83ed1aca10e497
SHA1

6647e17778fec92a27d34caa7e8f0015ac602a98
SHA256

c60d84e06944cfe3219b64107d04608960a4fc2cf6abe4763f13bb1fa46903d7
SHA512

97b5304f058265ede2679ce80dec3fd9224a18a4a32aaf822d3a48d26d361f0cfbdf9e9c1997d65c419e834e5c1aa3a3c8e61fae45106f30df0e8ee3c5fd1ffa
SSDEEP

12288:5HGC8w0ueY7YZzU4LAsLrYpKCEgplake5NhitJE95bf:wC8wfzqUsLrYppEaYv5b8WHbf

Score

10^/10

darkcomet îëîëîëüêà discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Îëîëîëüêà

C2

mrserv.zapto.org:1604

Mutex

DC_MUTEX-9GC1VMQ

Attributes

InstallPath
M4DCSC\msdcsc.exe
gencode
bWcbqcPSQhbp
install
true
offline_keylogger
true
persistence
true
reg_key
WinUpdate

Targets

- Target
  
  75b7e4f3b01e4cd62a83ed1aca10e497_JaffaCakes118
- Size
  
  503KB
- MD5
  
  75b7e4f3b01e4cd62a83ed1aca10e497
- SHA1
  
  6647e17778fec92a27d34caa7e8f0015ac602a98
- SHA256
  
  c60d84e06944cfe3219b64107d04608960a4fc2cf6abe4763f13bb1fa46903d7
- SHA512
  
  97b5304f058265ede2679ce80dec3fd9224a18a4a32aaf822d3a48d26d361f0cfbdf9e9c1997d65c419e834e5c1aa3a3c8e61fae45106f30df0e8ee3c5fd1ffa
- SSDEEP
  
  12288:5HGC8w0ueY7YZzU4LAsLrYpKCEgplake5NhitJE95bf:wC8wfzqUsLrYppEaYv5b8WHbf
Score

10^/10

darkcomet îëîëîëüêà discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometîëîëîëüêàdiscoveryevasionpersistencerattrojan

behavioral2