darkcomet | 2d8d55b1a2040a041c217333c1fff62f927bf29b3049963a815e29934f3f8418 | Triage

Sharing

General

Target

2d8d55b1a2040a041c217333c1fff62f927bf29b3049963a815e29934f3f8418N.exe
Size

911KB
Sample

241202-jkm4kawkfy
MD5

c6124a942c55b07895302856e06a9d90
SHA1

792dcfe853839096cd815020cc084c00efea3eef
SHA256

2d8d55b1a2040a041c217333c1fff62f927bf29b3049963a815e29934f3f8418
SHA512

a79dee40098c9293de69fdf8564231a1d8cef29e0cb85b7b182e9ae4c5746467c660c6eba7395b04497b7839e6cfd66874697bfb532f479c199e08ffbbf62c1a
SSDEEP

12288:GJd7xDyNZHN32RDRua9FZzrGHQTMDPnA46X3/aeSGxF10mhXWty7Xy5mQmkR/zEC:6dtuNtN32rRLZqQyp4HSGxZhXWO5C

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

efosa94949.no-ip.biz:1604

Mutex

DC_MUTEX-7SCGJWM

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
k0FWSrLTENGX
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  2d8d55b1a2040a041c217333c1fff62f927bf29b3049963a815e29934f3f8418N.exe
- Size
  
  911KB
- MD5
  
  c6124a942c55b07895302856e06a9d90
- SHA1
  
  792dcfe853839096cd815020cc084c00efea3eef
- SHA256
  
  2d8d55b1a2040a041c217333c1fff62f927bf29b3049963a815e29934f3f8418
- SHA512
  
  a79dee40098c9293de69fdf8564231a1d8cef29e0cb85b7b182e9ae4c5746467c660c6eba7395b04497b7839e6cfd66874697bfb532f479c199e08ffbbf62c1a
- SSDEEP
  
  12288:GJd7xDyNZHN32RDRua9FZzrGHQTMDPnA46X3/aeSGxF10mhXWty7Xy5mQmkR/zEC:6dtuNtN32rRLZqQyp4HSGxZhXWO5C
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoveryevasionpersistencerattrojan

behavioral2

darkcometguest16discoveryevasionpersistencerattrojan