darkcomet | b7b1d2292495b26c07ace69d9b563e99f1f6125408085864b6fb2e172c4975fb | Triage

Sharing

General

Target

b59f41b2e13be96995081ede3b5448ea_JaffaCakes118
Size

585KB
Sample

241201-28effa1rhj
MD5

b59f41b2e13be96995081ede3b5448ea
SHA1

7b824a918d04b6a01c98d2960c93baa93496031a
SHA256

b7b1d2292495b26c07ace69d9b563e99f1f6125408085864b6fb2e172c4975fb
SHA512

4f1eae4963fa07bdb107e8461804e0bb7b11b99faef81a4ee1a5ba67a115c422585c1431f3927f7b6a67a3336900aacac8244b48410a0dca8d5129bb8af4c9ec
SSDEEP

12288:K84skkP1VHr+d/yyrnMdYJpAsbaNSQDLV2yN+B0p8ol:ZkiPI/tbMdSasbaw4kyNug

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

crossfirenp.no-ip.org:1604

Mutex

DC_MUTEX-Y8TYL43

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
o3Lo08H6R2fU
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  b59f41b2e13be96995081ede3b5448ea_JaffaCakes118
- Size
  
  585KB
- MD5
  
  b59f41b2e13be96995081ede3b5448ea
- SHA1
  
  7b824a918d04b6a01c98d2960c93baa93496031a
- SHA256
  
  b7b1d2292495b26c07ace69d9b563e99f1f6125408085864b6fb2e172c4975fb
- SHA512
  
  4f1eae4963fa07bdb107e8461804e0bb7b11b99faef81a4ee1a5ba67a115c422585c1431f3927f7b6a67a3336900aacac8244b48410a0dca8d5129bb8af4c9ec
- SSDEEP
  
  12288:K84skkP1VHr+d/yyrnMdYJpAsbaNSQDLV2yN+B0p8ol:ZkiPI/tbMdSasbaw4kyNug
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan