darkcomet | 837832bb02fe7ade8179abcade5e7ca177d9b01a8c231abb37dc275f3dfc1429 | Triage

Sharing

General

Target

b5c6b797816975bbd74cf01b7980cf22_JaffaCakes118
Size

607KB
Sample

241201-3zzwfsylcz
MD5

b5c6b797816975bbd74cf01b7980cf22
SHA1

696c469a4d7e88cd306ab17c765262d6f8fb29fe
SHA256

837832bb02fe7ade8179abcade5e7ca177d9b01a8c231abb37dc275f3dfc1429
SHA512

1428f5205a331cb2ff0731528e7f0591ace45f7b1c0a5812b3343288f84cc4d0f576df034657614208b0731e3b42a6d1a43e5802ebbf21f9f7e32d55e479b687
SSDEEP

12288:V89vTqy0a90ErsbbQ1nDZ+5nFxF/LMlYi/2IJMJ:KRTqmz2v/Alj/2kE

Score

10^/10

darkcomet boomzbm discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

BOOMZBM

C2

encikhebat.no-ip.org:1604

Mutex

DC_MUTEX-EGU145C

Attributes

InstallPath
MSDCSC\s3rvic3s.exe
gencode
aR6wNaMTzLyE
install
true
offline_keylogger
true
persistence
true
reg_key
Services

Targets

- Target
  
  AwekKolej.exe
- Size
  
  738KB
- MD5
  
  959550946f0ebb35807317408542123c
- SHA1
  
  65b8386c5c80b7443fc89b11cc4468400f7abcf2
- SHA256
  
  7ee14508476758f0d36ea8aaf22eab55eaffff6ea68291d62b98e775a499e781
- SHA512
  
  b8707f0577be0225d571a2a58be40085244264288728d84bf857cf37ebadf24730558904ee2c90bda6b52733a2cc9a1f8878c652ab50fc35c6d345e4bd3cbf30
- SSDEEP
  
  12288:t5O2GoRvcRfUP04kWliJTzgoRdyfV1jKRo2M2zzqipI3FTElC1aiNchvhznP08q:tzfKMPfk5JTkaMfV4Ro23aiSBEs8iNQ2
Score

10^/10

darkcomet boomzbm discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometboomzbmdiscoveryevasionpersistencerattrojan

behavioral2

darkcometboomzbmdiscoveryevasionpersistencerattrojan