darkcomet

Resubmissions

21-12-2024 17:42

241221-v9y3xavlaz 10

20-12-2024 23:19

241220-3bbtqawpat 10

20-12-2024 19:29

241220-x7fjwssqdm 10

Sharing

Copy URL

Twitter E-mail

General

Target

XPloit.zip
Size

23.9MB
Sample

241221-v9y3xavlaz
MD5

df5931935ffe284ca5b40791607e7a4c
SHA1

262399853d05ece01f740d1e820aa892b065b1bd
SHA256

3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de
SHA512

38ac5f801f73714c840e16c8513b3c4f2d29815f042585a61c06830a76c1cae0e7e295241be686ae2d5f4bd19503ee9e69dadd611b1389d6ea9018553df785f7
SSDEEP

393216:OH+kig1whmEJ+oUAgHRsP56jvR3vJ0RPaati4b8sVNSCoOYhkhalpMJpQl+25+:sB1w/J+oUANMj53vOxavKxoqhMgpw+

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

127.0.0.1:1604

Mutex

DC_MUTEX-R2MY49E

Attributes

gencode
0JGDeNqTa1iX
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  XPloit.zip
- Size
  
  23.9MB
- MD5
  
  df5931935ffe284ca5b40791607e7a4c
- SHA1
  
  262399853d05ece01f740d1e820aa892b065b1bd
- SHA256
  
  3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de
- SHA512
  
  38ac5f801f73714c840e16c8513b3c4f2d29815f042585a61c06830a76c1cae0e7e295241be686ae2d5f4bd19503ee9e69dadd611b1389d6ea9018553df785f7
- SSDEEP
  
  393216:OH+kig1whmEJ+oUAgHRsP56jvR3vJ0RPaati4b8sVNSCoOYhkhalpMJpQl+25+:sB1w/J+oUANMj53vOxavKxoqhMgpw+
Score

3^/10
behavioral1 behavioral2
- Target
  
  ForlornApi.dll
- Size
  
  13KB
- MD5
  
  e31fc5f539332de2888121b098d0d5d2
- SHA1
  
  2c76b76bc2a4bd3ce49394a15687dfd6835aa46d
- SHA256
  
  0bef874d8dab4fcf8024227ccc870ed7f6fb9c6d5db0ffe5d447948c26c3cad8
- SHA512
  
  70db518de1567fd297fe8d4a9a3bf68ab7d7b3c2cdb9358dc84ec2213313aa3d4bb831453044662fdc82d87cc9f34344109bbd4ba91c500ef797f99e7bc55564
- SSDEEP
  
  192:EZRcjJAwd3EUkgrUlGaHIofKbCkWNgF3anfm+eN6J+2uan1WVqG0siS1ag9:+EGuQpHAgN3aNqlWVjyrg9
Score

1^/10
behavioral3 behavioral4
- Target
  
  ForlornInject.dll
- Size
  
  6.3MB
- MD5
  
  a40dcf9942879728c738a5161e9ea455
- SHA1
  
  3d35c866c70db1c34daba07197bc4a834bc794f3
- SHA256
  
  8e11bbf4a2f5ea522804219789db209f906ec7e23d5b273547e4eceee82b6c44
- SHA512
  
  ab41eddeee2c7edb9dda5d91843546f2d0e41e11ac125cd9750b9531a63c7f4abd2faee412d8fd309390d1040e5b787ea98dfd754b14830aecedc739e0a9fbde
- SSDEEP
  
  196608:VqHqqhOnCaiiyFUHH76pyS1Ii8eGAvKQ0pOwqz:VqH8iiyFUSydi8eePpOw+
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral5 behavioral6
- Target
  
  XPloit.deps.json
- Size
  
  797B
- MD5
  
  47662f430e3091c399c3e2da1f529ba5
- SHA1
  
  a775b3330402cfd7054c9c681a8139fecf3b1120
- SHA256
  
  95744071bffef8925b87f20f67843dc60f0d4d36a560d8ecbb1ca16e7023813a
- SHA512
  
  1735d4f7dd41cdeb1fe7a4f7018bcec427e1fbea7ed06692664519e3f8a3b99440e3c72c4f2e05efbd7c59046f948bad637d8590fcb6cd78dea874a918337939
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  XPloit.dll
- Size
  
  74KB
- MD5
  
  5331a85d98acdf41a0aab7c46f00ae04
- SHA1
  
  24c858bb95a6b0dbc0fce9fac98e9f9698bc7bd9
- SHA256
  
  825ebf8702679cb5e0899308499b5efb7bdafc9c60e822c9599b50b7afb8cd28
- SHA512
  
  161e341a18178f2c68a64d8e808f80e57b957c4d9741c24e1bd06eb37a3739ece2d1d46e32645be707cce4c70b660564c6bd606762aca8701bf2411d5bb654e2
- SSDEEP
  
  768:EBqw+t+VBh0QLFEJESSSF5M4faQmzQ4QZwuz+3jsnRVRE:8P4cBlKJj5tvmzaal4E
Score

10^/10

darkcomet sazan discovery persistence pyinstaller rat spyware stealer trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10 behavioral9
- Target
  
  XPloit.exe
- Size
  
  18.6MB
- MD5
  
  bb2ef742beac994d93804ffd0f5e25a9
- SHA1
  
  ca276708b744d244b4e1dc897eb707869e681c34
- SHA256
  
  54a08d439e0024aaa094b8bc9360672c6d7c09d800548a72efdc3ac6a11fe151
- SHA512
  
  fc79e068d5953ef62d60d8741896661be482b89816e9a7430151f6040ebfd3a48df649c596903017781bfa3febc8d2460ad53f83348db740341f54a093f27122
- SSDEEP
  
  393216:ZbqPnLFXlrWQ8DOETgsvfG7gsNvEvpc2R20Imm3:sPLFXNWQhEiFiv2G2T3
Score

10^/10

darkcomet sazan discovery pyinstaller rat trojan upx persistence spyware stealer
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11 behavioral12
- Target
  
  main.pyc
- Size
  
  7KB
- MD5
  
  df80862d09cb2aef641db58fb9cf44af
- SHA1
  
  38e5d07ae5755c67dff69bb60a69385261810cad
- SHA256
  
  df6fdb82eca45baa6a91b89cc9aa2fe59020a28e08df90b1d060932140a658f6
- SHA512
  
  ba31801f383cca23866513f36345358f91906c31b4a711e8e36d345ba7650f112119f0f175105b7e422c6be31ce62b047f974d39863e3d753fe2563653ffe05f
- SSDEEP
  
  192:wKKt0a3nD84gkuWdXwvHCZGr6JhwZNMdwtnw:bKB6PWuviZ++2ZNPtw
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  XPloit.pdb
- Size
  
  13KB
- MD5
  
  922f91a14a0b8902176fa1ecf563e944
- SHA1
  
  9dae211479a31dcb43857b70d5c354d603218d3a
- SHA256
  
  91f938f338dc5480abca2c050213f4420ce329d26ecbe8c67aab95bcb5ae3ee8
- SHA512
  
  cdbbf08e03935115d2fbde86e9861f065faceab2ab903b1b05e6249adba4f66452f02d7df1cec22e9ea385a09cb4b4ad44233d7c07fabcf597c12da218e13862
- SSDEEP
  
  384:5MJ7Wf/v0cQgr4GZasF1esCUksOvtE6Bzc7Rr0fzqZQtjkcKopvHffxLApTHD3Ii:SWHxvohFEeqO7tjle3X
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  XPloit.runtimeconfig.json
- Size
  
  443B
- MD5
  
  9db099f143ead47e224653d0dde19fe9
- SHA1
  
  d050db767fc64aa1705353132da3e35048475d3c
- SHA256
  
  7e79af92820e50910b90f1cade2728f45987393f24b50e384dc225d9773b7194
- SHA512
  
  579c3c870903b3d47dbc2567153fa7c73e0aa47387c6969b8982037884033a4b25de702e0efb8c7ae717b6b463192b917b18a79b1ef5f8c969f257422af2b65f
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  workspace/IY_FE.iy
- Size
  
  1KB
- MD5
  
  5430cd099b8699e8bf8692b1ee282372
- SHA1
  
  e44b62849519db8a77b5ce6f8e5572e1edf2d041
- SHA256
  
  738277b369c0cfdec8ad0eb24aace538f19785ea134541657661ac80802730d7
- SHA512
  
  9126e43feaad90e61b7dc7eeff30616701bf8f85f4de669bed7acd10a0b01c97dd35276d0de42ad41041d30441c9ea9cd130450a5db1ead4c0aa06a4494f605c
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  workspace/MercurySettings.json
- Size
  
  16B
- MD5
  
  be12004ab076e82cb7b308cf1322bbf7
- SHA1
  
  0de6f88fe43b9698ade3f6063c1b5a815c43b7f3
- SHA256
  
  ee09e40269075114a05082e03c87e115939ebc488d9ecced1a5fb74106a76ed7
- SHA512
  
  f66f8782cfed28687e860ec2f3806795654f82f50604a86f7b20657f04efe5eb5746aa7451042017d53f2fd03d9233d3f43526c2f90ac5c830e1ad3e82a27d49
Score

3^/10

discovery
behavioral21 behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

VMProtect packed file

Darkcomet family

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

UPX packed file

Darkcomet

Darkcomet family

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22