darkcomet | 3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de | Triage

Submit
Reports

Overview

overview

Static

static

XPloit.zip

windows7-x64

1

XPloit.zip

windows10-2004-x64

Resubmissions

21-12-2024 17:42

241221-v9y3xavlaz 10

20-12-2024 23:19

241220-3bbtqawpat 10

20-12-2024 19:29

241220-x7fjwssqdm 10

Sharing

General

Target

XPloit.zip
Size

23.9MB
Sample

241220-3bbtqawpat
MD5

df5931935ffe284ca5b40791607e7a4c
SHA1

262399853d05ece01f740d1e820aa892b065b1bd
SHA256

3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de
SHA512

38ac5f801f73714c840e16c8513b3c4f2d29815f042585a61c06830a76c1cae0e7e295241be686ae2d5f4bd19503ee9e69dadd611b1389d6ea9018553df785f7
SSDEEP

393216:OH+kig1whmEJ+oUAgHRsP56jvR3vJ0RPaati4b8sVNSCoOYhkhalpMJpQl+25+:sB1w/J+oUANMj53vOxavKxoqhMgpw+

Score

10^/10

darkcomet empyrean sazan discovery persistence privilege_escalation pyinstaller rat spyware stealer trojan upx vmprotect

Static task

static1

vmprotect pyinstaller sazan darkcomet empyrean

6 signatures

Behavioral task

behavioral1

Sample

XPloit.zip

Resource

win7-20240903-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

XPloit.zip

Resource

win10v2004-20241007-en

darkcomet sazan discovery persistence privilege_escalation pyinstaller rat spyware stealer trojan upx

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

Mutex

DC_MUTEX-R2MY49E

Attributes

gencode
0JGDeNqTa1iX
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  XPloit.zip
- Size
  
  23.9MB
- MD5
  
  df5931935ffe284ca5b40791607e7a4c
- SHA1
  
  262399853d05ece01f740d1e820aa892b065b1bd
- SHA256
  
  3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de
- SHA512
  
  38ac5f801f73714c840e16c8513b3c4f2d29815f042585a61c06830a76c1cae0e7e295241be686ae2d5f4bd19503ee9e69dadd611b1389d6ea9018553df785f7
- SSDEEP
  
  393216:OH+kig1whmEJ+oUAgHRsP56jvR3vJ0RPaati4b8sVNSCoOYhkhalpMJpQl+25+:sB1w/J+oUANMj53vOxavKxoqhMgpw+
Score

10^/10

darkcomet sazan discovery persistence privilege_escalation pyinstaller rat spyware stealer trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

vmprotectpyinstallersazandarkcometempyrean

behavioral1

behavioral2

darkcometsazandiscoverypersistenceprivilege_escalationpyinstallerratspywarestealertrojanupx

© 2018-2024

Terms | Privacy