darkcomet | 131b8c954a6dda5275a42067ad1c60e71b0c9c192281eb81b11ef68865f08a75 | Triage

Sharing

General

Target

b30d655aefc52618b2a7e6e3e13de11f_JaffaCakes118
Size

894KB
Sample

241129-w23xkazpcy
MD5

b30d655aefc52618b2a7e6e3e13de11f
SHA1

4ed6181c465ee67cc86af3abbfd8f98aa4be009b
SHA256

131b8c954a6dda5275a42067ad1c60e71b0c9c192281eb81b11ef68865f08a75
SHA512

58909a6ecb983ef4bcfff1598986a03cacc157f0b1e83d5222fa9cc5afdb2b214cde9ce04af3f655c1f28c7860a2b967df326c655459e7d331a5d3919f51272f
SSDEEP

12288:89HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK3cwgBb:QZ1xuVVjfFoynPaVBUR8f+kN10EBvv

Score

10^/10

darkcomet latentbot windowscvtrell discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

windowscvtrell

C2

anonymedeskype81.zapto.org:1500

Mutex

DC_MUTEX-BU1D65U

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2HVjF5Bcnmu5
install
true
offline_keylogger
true
persistence
false
reg_key
windowscvtrell

Extracted

Family

latentbot

C2

anonymedeskype81.zapto.org

Targets

- Target
  
  b30d655aefc52618b2a7e6e3e13de11f_JaffaCakes118
- Size
  
  894KB
- MD5
  
  b30d655aefc52618b2a7e6e3e13de11f
- SHA1
  
  4ed6181c465ee67cc86af3abbfd8f98aa4be009b
- SHA256
  
  131b8c954a6dda5275a42067ad1c60e71b0c9c192281eb81b11ef68865f08a75
- SHA512
  
  58909a6ecb983ef4bcfff1598986a03cacc157f0b1e83d5222fa9cc5afdb2b214cde9ce04af3f655c1f28c7860a2b967df326c655459e7d331a5d3919f51272f
- SSDEEP
  
  12288:89HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK3cwgBb:QZ1xuVVjfFoynPaVBUR8f+kN10EBvv
Score

10^/10

darkcomet latentbot windowscvtrell discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

windowscvtrelldarkcomet

behavioral1

darkcometlatentbotwindowscvtrelldiscoveryevasionpersistencerattrojan

behavioral2

darkcometlatentbotwindowscvtrelldiscoveryevasionpersistencerattrojan