darkcomet | e4f036226324c182632a98380492bb27763ff6cdd9fb0d245f192466b0e7e843 | Triage

Sharing

General

Target

845b6ee63a9152cb8643b92a3ae90af9_JaffaCakes118
Size

1.2MB
Sample

241101-lpmdyaxphy
MD5

845b6ee63a9152cb8643b92a3ae90af9
SHA1

083e3c8909a8b9ae7c8a2c8a863e2b946552d713
SHA256

e4f036226324c182632a98380492bb27763ff6cdd9fb0d245f192466b0e7e843
SHA512

6581b7817354bebbf66f43bdfddec67c9509e60ae25d0cffdc4d5e887edf9605832c8d6e495aeb48a62973781d5daae24c8057fcfb8864d4d9eaf0d0543293e5
SSDEEP

12288:NVYOQyD2jIzt+cpUlnKFP8xMz1Tv5G9GHZK/wgbrtMuWsL2tEFa1g9w3ppvD0tY1:4WMKUav5QbaCPUItj1uaQp6m

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

xoman.no-ip.org:1604

Mutex

DCMIN_MUTEX-ALKG91K

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
CrUq1cZTXVCH
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  845b6ee63a9152cb8643b92a3ae90af9_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  845b6ee63a9152cb8643b92a3ae90af9
- SHA1
  
  083e3c8909a8b9ae7c8a2c8a863e2b946552d713
- SHA256
  
  e4f036226324c182632a98380492bb27763ff6cdd9fb0d245f192466b0e7e843
- SHA512
  
  6581b7817354bebbf66f43bdfddec67c9509e60ae25d0cffdc4d5e887edf9605832c8d6e495aeb48a62973781d5daae24c8057fcfb8864d4d9eaf0d0543293e5
- SSDEEP
  
  12288:NVYOQyD2jIzt+cpUlnKFP8xMz1Tv5G9GHZK/wgbrtMuWsL2tEFa1g9w3ppvD0tY1:4WMKUav5QbaCPUItj1uaQp6m
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2

darkcometguest16_mindiscoverypersistencerattrojan