darkcomet | 77253e0c5f0dfb205418dc37cb83cbc89505c2c234e5025ef0a21a9e2c94cc29 | Triage

Sharing

General

Target

917c20807a517aeb9ff33de1f94dbbb9_JaffaCakes118
Size

720KB
Sample

241124-ah6cpazpgq
MD5

917c20807a517aeb9ff33de1f94dbbb9
SHA1

85f6e063cafd9b1a866cc7aaa65c3fadde9348c6
SHA256

77253e0c5f0dfb205418dc37cb83cbc89505c2c234e5025ef0a21a9e2c94cc29
SHA512

7c0d039e65992749d62bbf9ae7c73cfc59babaaa568d1ef251bacdd54ddacf47ad9cc90d8f7db815e2b281f950320d1a3fd9276e4d5f300912d54beec3412e84
SSDEEP

12288:jr+2I2KWdq/3avr/hp4arC17eB6shkDnvMktQRM8s/5RxJh:2729j4arCle0xDnvMcQRJshRX

Score

10^/10

darkcomet ??????discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

??????

C2

alial123.zapto.org:288

Mutex

DC_MUTEX-M2M11G6

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
XfHLu8XqdawJ
install
true
offline_keylogger
true
password
268426
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  917c20807a517aeb9ff33de1f94dbbb9_JaffaCakes118
- Size
  
  720KB
- MD5
  
  917c20807a517aeb9ff33de1f94dbbb9
- SHA1
  
  85f6e063cafd9b1a866cc7aaa65c3fadde9348c6
- SHA256
  
  77253e0c5f0dfb205418dc37cb83cbc89505c2c234e5025ef0a21a9e2c94cc29
- SHA512
  
  7c0d039e65992749d62bbf9ae7c73cfc59babaaa568d1ef251bacdd54ddacf47ad9cc90d8f7db815e2b281f950320d1a3fd9276e4d5f300912d54beec3412e84
- SSDEEP
  
  12288:jr+2I2KWdq/3avr/hp4arC17eB6shkDnvMktQRM8s/5RxJh:2729j4arCle0xDnvMcQRJshRX
Score

10^/10

darkcomet ??????discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomet??????discoverypersistencerattrojan

behavioral2

darkcomet??????discoverypersistencerattrojan