darkcomet | 5194028adbed199509326ded23b37ee34464892560d2c7c196d0dda8a3bda043 | Triage

Sharing

General

Target

5194028adbed199509326ded23b37ee34464892560d2c7c196d0dda8a3bda043.exe
Size

698KB
Sample

241205-ycbswsvpap
MD5

aa75ed1b108fa4129d827209c70a0e65
SHA1

730af9657cb90becfe0c9a878f6d307b5bda1655
SHA256

5194028adbed199509326ded23b37ee34464892560d2c7c196d0dda8a3bda043
SHA512

8aaf0c9e562a6e44f4a0d669575d057a583613260af4bfa7a22aec23632855b87eb505e666415dc520bf2ffb42b96b3f46c6909ae44176156095e83064989a21
SSDEEP

12288:uNAuo5DOxkhXzkJcX67+ET69NPA+qfnfaK3yXqkzIl+Me9Mp:uNrkhXzki6ql9mFfn53yXqEIl+4

Score

10^/10

darkcomet hf discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

darkred.servegame.com:4662

Mutex

DC_MUTEX-7B4EKNW

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uwJhstfBog81
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  5194028adbed199509326ded23b37ee34464892560d2c7c196d0dda8a3bda043.exe
- Size
  
  698KB
- MD5
  
  aa75ed1b108fa4129d827209c70a0e65
- SHA1
  
  730af9657cb90becfe0c9a878f6d307b5bda1655
- SHA256
  
  5194028adbed199509326ded23b37ee34464892560d2c7c196d0dda8a3bda043
- SHA512
  
  8aaf0c9e562a6e44f4a0d669575d057a583613260af4bfa7a22aec23632855b87eb505e666415dc520bf2ffb42b96b3f46c6909ae44176156095e83064989a21
- SSDEEP
  
  12288:uNAuo5DOxkhXzkJcX67+ET69NPA+qfnfaK3yXqkzIl+Me9Mp:uNrkhXzki6ql9mFfn53yXqEIl+4
Score

10^/10

darkcomet hf discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethfdiscoverypersistencerattrojan

behavioral2

darkcomethfdiscoverypersistencerattrojan