darkcomet | 3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc | Triage

Sharing

General

Target

3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe
Size

946KB
Sample

241202-pbjyfasqgv
MD5

a1bb58919f47a163fdc90fdfc2ba800e
SHA1

b394bf81d72da6b359997e0c2584dfc1c28e8769
SHA256

3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc
SHA512

7cc907e6ca1e5b0b49fecf0b64c0e0cbfb044b09a88dcd5456db080d7af105bfb09aae396c0cbeb3c28793a21d24c513bdbbd72b868937a9f7c9cf00aada8125
SSDEEP

12288:TJ2AsSLPMimCfwKxjctgIiFoaY+Ez7alWQQuvVTpP9gX5yGA:TwAs0MTMx84EzWWVIJTT

Score

10^/10

darkcomet crypt defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Crypt

C2

dcserv1603.zapto.org:999

192.168.1.4:999

Mutex

DC_MUTEX-CYSHT90

Attributes

gencode
BxRLSy9sb7uW
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe
- Size
  
  946KB
- MD5
  
  a1bb58919f47a163fdc90fdfc2ba800e
- SHA1
  
  b394bf81d72da6b359997e0c2584dfc1c28e8769
- SHA256
  
  3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc
- SHA512
  
  7cc907e6ca1e5b0b49fecf0b64c0e0cbfb044b09a88dcd5456db080d7af105bfb09aae396c0cbeb3c28793a21d24c513bdbbd72b868937a9f7c9cf00aada8125
- SSDEEP
  
  12288:TJ2AsSLPMimCfwKxjctgIiFoaY+Ez7alWQQuvVTpP9gX5yGA:TwAs0MTMx84EzWWVIJTT
Score

10^/10

darkcomet crypt discovery persistence rat trojan defense_evasion
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometcryptdiscoverypersistencerattrojan

behavioral2

darkcometcryptdefense_evasiondiscoverypersistencerattrojan