darkcomet

General

Target

b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0.zip
Size

130KB
Sample

241222-gpnvjswpdt
MD5

7341d5f29f668cee8b576b2ce60fdf68
SHA1

922be2df23f9c2133a575a4d4ccd86223883ade5
SHA256

b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0
SHA512

708b5378a49f73602a10e7f2084b6edea4327f76e6b11649e4a11e4dd29743b852b0b8deef9d0d8d8a0a962c463e813f30bf22a81ffc510c3955cdf3fb1df676
SSDEEP

3072:Df1BDZ0kVB67Duw9AMcbbBBFAjrYEOnEjbWicBGIgPjzgw0XIu0I/2jAT:D9X0G3yjrkJiUgPH/ubXT

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
193.149.189.199
Port:
21
Username:
LUM
Password:
159753

Extracted

Credentials

Protocol: ftp
Host:
193.149.189.199
Port:
21
Username:
ins
Password:
installer

Extracted

Family

lumma

Extracted

Family

darkcomet

Botnet

Guest1690

C2

65.38.120.136:1690

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
U2oxviM8ZSYf
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0.zip
- Size
  
  130KB
- MD5
  
  7341d5f29f668cee8b576b2ce60fdf68
- SHA1
  
  922be2df23f9c2133a575a4d4ccd86223883ade5
- SHA256
  
  b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0
- SHA512
  
  708b5378a49f73602a10e7f2084b6edea4327f76e6b11649e4a11e4dd29743b852b0b8deef9d0d8d8a0a962c463e813f30bf22a81ffc510c3955cdf3fb1df676
- SSDEEP
  
  3072:Df1BDZ0kVB67Duw9AMcbbBBFAjrYEOnEjbWicBGIgPjzgw0XIu0I/2jAT:D9X0G3yjrkJiUgPH/ubXT
Score

10^/10

darkcomet lumma vidar guest1690 credential_access discovery persistence rat stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Detect Vidar Stealer
  stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InetLoad.dll
- Size
  
  18KB
- MD5
  
  994669c5737b25c26642c94180e92fa2
- SHA1
  
  d8a1836914a446b0e06881ce1be8631554adafde
- SHA256
  
  bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
- SHA512
  
  d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
- SSDEEP
  
  384:nUOPTbiJmdztwwKq8W1cyMjPzV0Ac9k+LMkIX1+Gn+XHdjf:nTikliwKq8W1rMjPzz+f
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/ZipDLL.dll
- Size
  
  163KB
- MD5
  
  2dc35ddcabcb2b24919b9afae4ec3091
- SHA1
  
  9eeed33c3abc656353a7ebd1c66af38cccadd939
- SHA256
  
  6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
- SHA512
  
  0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901
- SSDEEP
  
  3072:8CkSJJ30k1pn2T4ISnUGN+E8KnCOxA17jxLmRtWHyPDQFllOdJiSg:tkSJy+c30UxbKnA1hLKWSVdk
Score

3^/10

discovery
behavioral5 behavioral6