darkcomet | d6df64bbc9873e60a38dfb6ff3fe0a3d0763167e07b84279ba328860d48cd4e9 | Triage

Sharing

General

Target

8f58c94ece1bace4e3eac74c51950fcc_JaffaCakes118
Size

886KB
Sample

241104-fylwwatnbv
MD5

8f58c94ece1bace4e3eac74c51950fcc
SHA1

a95f0b844701f05054b7382be6aa7888498a2626
SHA256

d6df64bbc9873e60a38dfb6ff3fe0a3d0763167e07b84279ba328860d48cd4e9
SHA512

dfaafd564837b4f2466b0215de21234c8ac82057ebec19fa2479b590fb774aa361ca2dc2e1a0142599ae302ddfb2b9dffb68750192912647f29949684bf4a862
SSDEEP

12288:xXZFfk9Qc45ejXv1LvwrNIlcH/OohtdtYTZqgA9Yrs5WCTj4LXynXyLLlQ:Vvk9Q9er9jw56cH/Ntdt/gcY45WC/rE

Score

10^/10

darkcomet torrent discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

torrent

C2

xstf.servegame.com:12333

Mutex

DC_MUTEX-QFZLF9C

Attributes

InstallPath
My Torrents\torrent.exe
gencode
pCFNmbgnqzps
install
true
offline_keylogger
true
password
xsTFyRVa37890
persistence
false
reg_key
torrent

Targets

- Target
  
  8f58c94ece1bace4e3eac74c51950fcc_JaffaCakes118
- Size
  
  886KB
- MD5
  
  8f58c94ece1bace4e3eac74c51950fcc
- SHA1
  
  a95f0b844701f05054b7382be6aa7888498a2626
- SHA256
  
  d6df64bbc9873e60a38dfb6ff3fe0a3d0763167e07b84279ba328860d48cd4e9
- SHA512
  
  dfaafd564837b4f2466b0215de21234c8ac82057ebec19fa2479b590fb774aa361ca2dc2e1a0142599ae302ddfb2b9dffb68750192912647f29949684bf4a862
- SSDEEP
  
  12288:xXZFfk9Qc45ejXv1LvwrNIlcH/OohtdtYTZqgA9Yrs5WCTj4LXynXyLLlQ:Vvk9Q9er9jw56cH/Ntdt/gcY45WC/rE
Score

10^/10

darkcomet torrent discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Molebox Virtualization software
  Detects file using Molebox Virtualization software.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomettorrentdiscoverypersistencerattrojan

behavioral2

darkcomettorrentdiscoverypersistencerattrojan