darkcomet | 5c238bef33a4fb8662513b830dd9de975c9d13f23b8efdbb3532c682bf180578 | Triage

Submit
Reports

Overview

overview

Static

static

5c238bef33...78.exe

windows7-x64

5c238bef33...78.exe

windows10-2004-x64

Sharing

General

Target

5c238bef33a4fb8662513b830dd9de975c9d13f23b8efdbb3532c682bf180578
Size

283KB
Sample

241026-zy5tjazemn
MD5

0137cad2f4aa8106ca20f59b4f3d99c7
SHA1

3c592c1b2f39d37ad68250f264887865be576f46
SHA256

5c238bef33a4fb8662513b830dd9de975c9d13f23b8efdbb3532c682bf180578
SHA512

d019103f20906b4641cafb1323ac880d144826754049d7cb7c84647e77cddea743520e431f9dfdc050711d9e8dd2d9ff5baa855cda8ee597b99a2d8fbb2d41df
SSDEEP

6144:DcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37G:DcW7KEZlPzCy37G

Score

10^/10

darkcomet arabeff discovery evasion persistence rat trojan upx

Static task

static1

upx arabeff darkcomet

3 signatures

Behavioral task

behavioral1

Sample

5c238bef33a4fb8662513b830dd9de975c9d13f23b8efdbb3532c682bf180578.exe

Resource

win7-20241023-en

darkcomet arabeff discovery evasion persistence rat trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

5c238bef33a4fb8662513b830dd9de975c9d13f23b8efdbb3532c682bf180578.exe

Resource

win10v2004-20241007-en

darkcomet arabeff discovery evasion persistence rat trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

ARABEFF

C2

foru.no-ip.info:1604

foru.no-ip.info:5555

foru.no-ip.info:2000

foru1.no-ip.info:2000

foru1.no-ip.info:5555

foru1.no-ip.info:1604

desgarrada.no-ip.org:1604

desgarrada1.no-ip.org:1604

Mutex

Svchost

Attributes

InstallPath
Windows\windows.exe
gencode
2uVzLNvVHcYl
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  5c238bef33a4fb8662513b830dd9de975c9d13f23b8efdbb3532c682bf180578
- Size
  
  283KB
- MD5
  
  0137cad2f4aa8106ca20f59b4f3d99c7
- SHA1
  
  3c592c1b2f39d37ad68250f264887865be576f46
- SHA256
  
  5c238bef33a4fb8662513b830dd9de975c9d13f23b8efdbb3532c682bf180578
- SHA512
  
  d019103f20906b4641cafb1323ac880d144826754049d7cb7c84647e77cddea743520e431f9dfdc050711d9e8dd2d9ff5baa855cda8ee597b99a2d8fbb2d41df
- SSDEEP
  
  6144:DcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37G:DcW7KEZlPzCy37G
Score

10^/10

darkcomet arabeff discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

upxarabeffdarkcomet

behavioral1

darkcometarabeffdiscoveryevasionpersistencerattrojanupx

behavioral2

darkcometarabeffdiscoveryevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy