darkcomet | a253a91771977d2b4801802c7b2987e49c292f5821d9bb737f6aa83f82cd7c1c | Triage

Sharing

General

Target

a253a91771977d2b4801802c7b2987e49c292f5821d9bb737f6aa83f82cd7c1cN.exe
Size

946KB
Sample

241202-g8eqzstlbs
MD5

d6c3469a3073e8d93cf8b4de3220afd0
SHA1

dd47cbc9736d709d5ce7515f5a1f0f16a1210dd5
SHA256

a253a91771977d2b4801802c7b2987e49c292f5821d9bb737f6aa83f82cd7c1c
SHA512

e5e62e59030645b580841e2796c94e56c14ee9c36ae765c5d832907135050a1db2554323ced400a7590c2bf141d27ca1b03e9356567e440984b62807aaf4bb46
SSDEEP

12288:TJ2AsSLPMimCfwKxjctgIiFoaY+Ez7alWQQuvVTpP9gX5yGQ:TwAs0MTMx84EzWWVIJT5

Score

10^/10

darkcomet crypt defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Crypt

C2

dcserv1603.zapto.org:999

192.168.1.4:999

Mutex

DC_MUTEX-CYSHT90

Attributes

gencode
BxRLSy9sb7uW
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  a253a91771977d2b4801802c7b2987e49c292f5821d9bb737f6aa83f82cd7c1cN.exe
- Size
  
  946KB
- MD5
  
  d6c3469a3073e8d93cf8b4de3220afd0
- SHA1
  
  dd47cbc9736d709d5ce7515f5a1f0f16a1210dd5
- SHA256
  
  a253a91771977d2b4801802c7b2987e49c292f5821d9bb737f6aa83f82cd7c1c
- SHA512
  
  e5e62e59030645b580841e2796c94e56c14ee9c36ae765c5d832907135050a1db2554323ced400a7590c2bf141d27ca1b03e9356567e440984b62807aaf4bb46
- SSDEEP
  
  12288:TJ2AsSLPMimCfwKxjctgIiFoaY+Ez7alWQQuvVTpP9gX5yGQ:TwAs0MTMx84EzWWVIJT5
Score

10^/10

darkcomet crypt discovery persistence rat trojan defense_evasion
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometcryptdiscoverypersistencerattrojan

behavioral2

darkcometcryptdefense_evasiondiscoverypersistencerattrojan