darkcomet | 547b5f8fa22536e6ef421540f6f2308e02e09f841e17676dd16db35f3a01853c | Triage

Sharing

General

Target

547b5f8fa22536e6ef421540f6f2308e02e09f841e17676dd16db35f3a01853c
Size

1.3MB
Sample

241216-2bfx1a1rfz
MD5

e30c9b8c07eb6bb88f16c6084879391d
SHA1

09cbc8d0fc7024bc1d413537b2e56265809a8f45
SHA256

547b5f8fa22536e6ef421540f6f2308e02e09f841e17676dd16db35f3a01853c
SHA512

47bdc5c82e5886d57bc8e67307c7e6a21ff47e111dd0f04bb85aafb5d672a5b243f19eae23658e70fc3279cffb89468114015e4b44d21b3001dfb1e2118718e4
SSDEEP

12288:xiemWOmVwMiT1GHu8btht2NziYTSDvcFlRShkyObS4:seOmVwMiToHuAt6ziY6GlRSAO

Score

10^/10

darkcomet modiloader route discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

route

C2

mkidech.zapto.org:1604

Mutex

DC_MUTEX-MFYHLY2

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
oys3ZZzt6sGy
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  547b5f8fa22536e6ef421540f6f2308e02e09f841e17676dd16db35f3a01853c
- Size
  
  1.3MB
- MD5
  
  e30c9b8c07eb6bb88f16c6084879391d
- SHA1
  
  09cbc8d0fc7024bc1d413537b2e56265809a8f45
- SHA256
  
  547b5f8fa22536e6ef421540f6f2308e02e09f841e17676dd16db35f3a01853c
- SHA512
  
  47bdc5c82e5886d57bc8e67307c7e6a21ff47e111dd0f04bb85aafb5d672a5b243f19eae23658e70fc3279cffb89468114015e4b44d21b3001dfb1e2118718e4
- SSDEEP
  
  12288:xiemWOmVwMiT1GHu8btht2NziYTSDvcFlRShkyObS4:seOmVwMiToHuAt6ziY6GlRSAO
Score

10^/10

darkcomet modiloader route discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modiloader family
  modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometmodiloaderroutediscoverypersistencerattrojan

behavioral2

darkcometmodiloaderroutediscoverypersistencerattrojan