darkcomet | 8fd9a7f984a4c5a9e2ba89ee5aa29b6dad95d09296a40984ab359aa6cde0bbee | Triage

Sharing

General

Target

8a069c028fcc956f46943f1449640a91_JaffaCakes118
Size

1.3MB
Sample

241103-g19ldsxdrp
MD5

8a069c028fcc956f46943f1449640a91
SHA1

eff5a8f848a043dd1d34c22e79914bfba59804fd
SHA256

8fd9a7f984a4c5a9e2ba89ee5aa29b6dad95d09296a40984ab359aa6cde0bbee
SHA512

180bf1d41b6151e235e87c68aefd27c38f2922570a937481752cec0cd5535da6d4e7f0c1035726aaaf5ae7e4c294cdcdb6a553965361836559d43ba5446ab4fd
SSDEEP

12288:ANdxlPKsQ7FK9grZYg0nUvW9uzPPFhYyzGGzDrslSh/i+nNiiQ4qf9JYV578O92y:ANdxAsQAMv1/rsoxO9aXyvT8RYngUDrw

Score

10^/10

darkcomet rs discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

RS

C2

hackerkline1.no-ip.biz:200

Mutex

DC_MUTEX-Z47BQAX

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
fCKM0nfU7Sze
install
true
offline_keylogger
true
password
klin3CJK
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  8a069c028fcc956f46943f1449640a91_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  8a069c028fcc956f46943f1449640a91
- SHA1
  
  eff5a8f848a043dd1d34c22e79914bfba59804fd
- SHA256
  
  8fd9a7f984a4c5a9e2ba89ee5aa29b6dad95d09296a40984ab359aa6cde0bbee
- SHA512
  
  180bf1d41b6151e235e87c68aefd27c38f2922570a937481752cec0cd5535da6d4e7f0c1035726aaaf5ae7e4c294cdcdb6a553965361836559d43ba5446ab4fd
- SSDEEP
  
  12288:ANdxlPKsQ7FK9grZYg0nUvW9uzPPFhYyzGGzDrslSh/i+nNiiQ4qf9JYV578O92y:ANdxAsQAMv1/rsoxO9aXyvT8RYngUDrw
Score

10^/10

darkcomet rs discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometrsdiscoverypersistencerattrojan

behavioral2

darkcometrsdiscoverypersistencerattrojan