darkcomet

Sharing

Copy URL

Twitter E-mail

General

Target

Njrat 0.7d PASS( 777 ).rar
Size

1.9MB
Sample

241125-cfzhgaxqgp
MD5

80c1fb0c86898658d850af1462eebdfc
SHA1

ae2b606ce489b6a4c6e15ffd3ed3ce9c0094953c
SHA256

1b0717bb1a92dbdc992dfd8958c2ba4d4db22b056a728ee1bdd06b9eb9d93be2
SHA512

c1c655d5b055eb80f9554c5f9f7df008b0c8856669e80516ca6d44c742ea2c23ed64e65577eb68912c521f1c79de3c0375990853a64c988f7b3cbb208ae85b32
SSDEEP

49152:KIRS9vT+F6EmLekZh86xwu1ETCFi4IegtHbp6:rS+F6Tiehiu1Zt4s

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

lol

dcplusplus.ddns.net:1604

Mutex

DC_MUTEX-TS69B03

Attributes

InstallPath
startup.exe
gencode
RAe9JPzTc6ht
install
true
offline_keylogger
true
persistence
false
reg_key
MicrosoftUpdate

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Mutex

[RNVD]

Attributes

reg_key
[RNVD]
splitter
|Hassan|

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Targets

- Target
  
  InjectIcon.dll
- Size
  
  13KB
- MD5
  
  83921e813f885ae1669aa0efa21f8695
- SHA1
  
  130f59f513eb64018736c0173d45a2b524c282fc
- SHA256
  
  98348ffe70a68f69d934118a2d14b86b382d698601827a4c1d322d878d36bbdc
- SHA512
  
  f123ef9c5fd3157c6f51b1ac02d6103baa1ebd2a02e3c2d95355b15ce3730f241c0d61d1ffc07713b8d3af7600730d29049683c589c7007a9a4e7bb4707f58c3
- SSDEEP
  
  192:OLCpu5eYPefzYTZVzunlYJL/eBvnaDNIDLTHqaf0+E+sQAE8UBscU:OL+1qe09prqNnq+LTGQY
Score

1^/10
behavioral1 behavioral2
- Target
  
  Mono.Cecil.dll
- Size
  
  305KB
- MD5
  
  851ec9d84343fbd089520d420348a902
- SHA1
  
  f8e2a80130058e4db3cf569cf4297d07d05c93e0
- SHA256
  
  cdadc26c09f869e21053ee1a0acf3b2d11df8edd599fe9c377bd4d3ce1c9cda9
- SHA512
  
  5e1d1b953fda4a905749eff8c4133a164748ba08c4854348539d335cf53c873eae7c653807a2701bf307693a049ae6c523bd1497a8e659bdea0a71085a58a5f1
- SSDEEP
  
  6144:ueMQM/aMOZabe3h1PtRjAqmYVNf3yTXcYBbt6KMBhu:uF/aMDb8BtRjA7XcYNclB
Score

1^/10
behavioral3 behavioral4
- Target
  
  NjRat 0.7D Golden Edition - Rus.exe
- Size
  
  830KB
- MD5
  
  cc34f66c10eecdd6061bb9a8a3f19d88
- SHA1
  
  6170e74e5133ec3fed9b0c9fd49f201246640f6b
- SHA256
  
  6dc87cb8cd2b6a30b93d435f1d4143e2a904f0bd0c2051db748b24fac8de8666
- SHA512
  
  1d591b1353e3d2d605cd8dabd82e35da4bf3427ca3895962eb0d17fa92680974ea9b99e7b58eaee5f3f8820ed158b3fb62e2f4370ef13aa2b16d12ae3b981232
- SSDEEP
  
  12288:mcW7KEZlPzCy37ztCHfNBZbsq16hMOeMmBwfjF75mkBTundtnTs7+C6tbm:qKiRzC0ztcEhhe5wpEkgnnW68
Score

10^/10

darkcomet lol discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  Plugin/AntiProcess.dll
- Size
  
  16KB
- MD5
  
  b21947a28760750689f46e071d575d07
- SHA1
  
  6008a9ff367e7a715422d2e2f96312f1a3231a9e
- SHA256
  
  f643ab116e7bd8515032a502b8700afb5bdbfc08fc1caa08817b3061e98b763e
- SHA512
  
  75fd467e4be5480e7dc4ce665a50cf5fcea3c4301f17674feec866d04e0f7036efaec0feffa35fc07ab19b70ff82d133c457c88d7c776f62160bff6cf13a2399
- SSDEEP
  
  384:0sRt7Wow+KPUhkRf1jJXMgthizKN8dhct+1W7Lf45kNQfjO8pZ3TR:xRt7Wow+KPUhkRf1jJX4dhVI/mf
Score

7^/10

discovery
- Drops startup file
behavioral7 behavioral8
- Target
  
  Plugin/cam.dll
- Size
  
  62KB
- MD5
  
  7eba4d9562bf7fc14f2c1bb142a1aa6f
- SHA1
  
  7c0f49bd672100881e7340a480dc6674d5dfc862
- SHA256
  
  5f00cda5808e3fd126d452708308ddee6556cb83adaccd02efe83654a40fc641
- SHA512
  
  5e7e9ee05674eb6a943b84437a46cd6c4dd7d63cd95bf308cd614026383eafc087590f6238a5282e275cf1875038aaa46ef843a5c6d322e3b7b1a63e2d454830
- SSDEEP
  
  1536:CfGJpkk261SBIAPVQfiZba2epz5B7hzUzaQo:QGJt3MIAdZbLepz5BlzUz5
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Plugin/ch.dll
- Size
  
  23KB
- MD5
  
  2490eda5b4450138ba79f39fcc90048a
- SHA1
  
  f8af994fdeeb8afbf7d95e816da389a7eb09806e
- SHA256
  
  3bc2898da9cd9e202b7795b330fa3daff81a4b02ab4ecfe47fdd712c53252f12
- SHA512
  
  4f96028666bcb0a80730e8429082c2ab839fe8662086ad9735641fe8e55d51f909171124b1500c1da4065f26a9d3118c8b6c24d1827d12c5c887cd1e358a2d58
- SSDEEP
  
  384:B3RxTVz/Cn1CfWok/7+I98wxOaPlXfNIsGwPEvMnNKp9p:fxTVzK10N69XfNIUUpz
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Plugin/mic.dll
- Size
  
  48KB
- MD5
  
  1607999c56366fc2096a27a8bd237b98
- SHA1
  
  0e0a61c55c6a7e8fecaa2053afeaf816095374a2
- SHA256
  
  7d327985d7e4f83adffbdf831c1e999c68cb90238790b63260af19d24bfa66b8
- SHA512
  
  d30a642f26307f16a88782de2635b6e7b852dcbc90975c3920d61468dde06ed921074d95bd9d3b3b058ce4ce54973254370830d68f94a0d56b5072e82b890b85
- SSDEEP
  
  768:fI3iafm1WcNQtd53fddlGemdITB8l/zkgQM8QRyHQuhwWCTxqPbojlfB:H1WcGyem7QXMryHQvWCTxqPbojl
Score

1^/10
behavioral13 behavioral14
- Target
  
  Plugin/plg.dll
- Size
  
  28KB
- MD5
  
  04cb30a874ee349721b0398594de65fe
- SHA1
  
  8f3272e318edd73c1f4194f3a90143e18f158e10
- SHA256
  
  6f8770a35ec0845226a28dd57c8ae414dc8814a6871bd0bb818bb13ca3b82106
- SHA512
  
  a69b3bc0e30ddaae10478626ac231b214864b722c9254d932a81ea1016f4f49cf04551d17cbe93819f9e1bd88f679fdc1f5446761c7065e2b0d30a8b7edf40ae
- SSDEEP
  
  768:l78dTGdbp1AD8CYDMxelHpWuVP1eksWwnb9s7:+5hD8C2MxeSidBeb9s
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  Plugin/pw.dll
- Size
  
  251KB
- MD5
  
  872401528fc94c90f3de6658e776cc36
- SHA1
  
  c58e22158774d16831350de79eb4e1711379e8a6
- SHA256
  
  3a1cc072effd8c38406a6fddf4d8f49c5366bb0e32071311d90db669940987ce
- SHA512
  
  6da881fb968ba9d9200777a9f19d69220468482f3eaaf687c433790d512da520f5adb23441fdc8f3fd10785918eb2864ea3ef32ddb80d2f6665550ea455f4a2f
- SSDEEP
  
  6144:/e31bXJVFJmShoCKFdZ3aDGjXsCUjguhyUOMO1:WxJ/JmSG9T8CEgdM
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  Plugin/sc2.dll
- Size
  
  12KB
- MD5
  
  9c8b5c9ec7d24ef02c7df4e589dba366
- SHA1
  
  6f939463f40343cf62afc072978c833ee864914f
- SHA256
  
  f97aadb4d1c59f4b3155a9ec57f91a05700aed38b0090096f8f1e0e7975b6561
- SHA512
  
  a4bf281274c22b41b8faf0cbe7559c5a62bd7614bcc06cdc29f8f28419010bdadcb70a850886b4be9d7b6edb370fb34283a5f0991a1320edbaa12b5a194f8196
- SSDEEP
  
  192:dUFqUAbp57yUnWcL90wG1YL7ANg5egmdOnB61f8a54qwynam0q61pLWnVG:dUcNWcL90wG10MNg5PTM1Ea54qwOaz2G
Score

1^/10
behavioral19 behavioral20
- Target
  
  WinMM.Net.dll
- Size
  
  43KB
- MD5
  
  d4b80052c7b4093e10ce1f40ce74f707
- SHA1
  
  2494a38f1c0d3a0aa9b31cf0650337cacc655697
- SHA256
  
  59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46
- SHA512
  
  3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450
- SSDEEP
  
  768:LyasDzF2TDSemqD9tGI+ffwj2Au0LVpqmf7KxcOOrYCPTxqPb85:LyaXKemqD9tGI+ffwj2Au0LVpq4KWrlv
Score

1^/10
behavioral21 behavioral22
- Target
  
  stubs/Anti.bin
- Size
  
  12KB
- MD5
  
  2170473f4f2b81e9b909996b0f459d16
- SHA1
  
  81be2df85521167bcffd449e22db1add18e7bc5c
- SHA256
  
  01d0bedcc943e13e341578423a2fc6848d9f63f1c5800b9a16bd64f65a1fcdde
- SHA512
  
  f5d879a45dfa733e264018fc4a714421e8b5fef5f8f06f2293ac327bbc4f4d09fc123a38d271bbd1dbc6e0ca206ec618027a10bf5291d7bb804862cef4aeb416
- SSDEEP
  
  192:J1o3yrrIXd2lBBVCfA+XZm7nloYk4kNIDLR7swYoxU5R09KxK:J1o2k6BBVIA+JT4g+LRwcCRCKx
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  stubs/Stub.bin
- Size
  
  44KB
- MD5
  
  2ca8aa52af999240dddb9790a1f474bc
- SHA1
  
  599fa5e9ce3f7a634543595f73dd92bd5e406d8e
- SHA256
  
  f9901a131548492470fab93c1d607be4d5cfa174f5b2efe2a592fddfa3af9fdd
- SHA512
  
  5bad1d2bfdd6259456b8beba60a93341a6f3dab3d673bfdc6003891357e3bf1344059849c8941f532f46791d25ddd29040c5a4549ae676a80cd545471658a9e9
- SSDEEP
  
  384:7F7RVdzu0ohd1vwyxEsvgvRpkhcaE1EgRqmVldNCJ9yko5lwWHWqb4Zz8ujoLT3m:BMDzBd7vAcIqAdQJ9O5GWHW6UkA
Score

10^/10

njrat discovery trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
behavioral25 behavioral26
- Target
  
  stubs/dlentrypoint.bin
- Size
  
  11KB
- MD5
  
  4a7b5a4da67c17c762cb538e6fec9ed1
- SHA1
  
  65945d34c9484151c67f9a780c488186db4aece7
- SHA256
  
  c8294263bb4e447f53eeb9e639dba6ec24d735d80a7d05894e8b88bd115f2970
- SHA512
  
  fcea20011c5cfc91b1f523bafe7df96a1723bab7a7bf182ba14caddd76eb658faae9a8840b9095a8f30d6ea8665e163b014649dc32dc3c0f781a435f4be11c2b
- SSDEEP
  
  192:RFXnc1L11AvlszLq65grqZmGnloYk4KNIDLT7pnElS+Fs:RFs1LnAvlszeILy4a+LT7pElf
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  stubs/dlnormal.bin
- Size
  
  11KB
- MD5
  
  2b53e572879a63aaa6ab032221a24d99
- SHA1
  
  cecfb4dad0d128bc78369aba53839828af223ff1
- SHA256
  
  0e36c6fbbc68953d2702c3d5f84eeb35912ce9a53aadf467f8df60faf51a7f5e
- SHA512
  
  327d26775f38f29f462c8a3a9d921ab0d89cf80527acb2ddd539d0842988f93c2cbf335a865cea893ab2a81915a95683cdfd8033f9a357aacbf0b8d3360e8188
- SSDEEP
  
  192:3d3WKytoFQldQKDFdzG1nvlldKXZmGnloYk46NIDLRKQVuYvpxGBA:N3Wuy7FBGJvl7KJy4q+LRK6lx8A
Score

1^/10
behavioral29 behavioral30
- Target
  
  stubs/mpress.exe
- Size
  
  101KB
- MD5
  
  8b632bfc3fe653a510cba277c2d699d1
- SHA1
  
  d6a57aa17e5eb51297def9bac04e574c1e36d9c7
- SHA256
  
  2852680c94a9d68cdab285012d9328a1ceca290db60c9e35155c2bb3e46a41b4
- SHA512
  
  b9ea70ed984d3b4a42eceb9f34f222b722c4c1985b79b368d769fe0fd1f19f037ffebe2cf938aa98ed450337836a7469d911848448d99223995f7fb3a9304587
- SSDEEP
  
  3072:S0+mlNniJkkKcfqBOb65VgB183gUGQ340HpL:SvmlNn4kkeOAVA1rUGh0Hp
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Darkcomet family

Modifies WinLogon for persistence

Modifies firewall policy service

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops startup file

Njrat family

njRAT/Bladabindi

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32