darkcomet

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_2a17e3086c909b6f21fc681ded7cad0f85c308118691899b181948cb4a11d81c
Size

2.5MB
Sample

241222-pxjvkaykg1
MD5

5bc63ad70a04e62cd8866c07163313eb
SHA1

fb891ff6f5e19e859330d050c861afb5a47cdb08
SHA256

2a17e3086c909b6f21fc681ded7cad0f85c308118691899b181948cb4a11d81c
SHA512

e8b884895b07291d644adcc66408c8bbc6d213b07db5ecaa6e16221b8e2082b674b0ce30f531ade1a92ef1fe5053c7170d0c64ab4a484cdeda8cd9039d82274d
SSDEEP

49152:A+nCSJ/0W7fhs7peEv8p5jR2iilq4/p/qLwEqSKdAbc7p+YTNx:iSJp058pr2iEP/EHqSKqc9+YTT

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

olmayanoc.duckdns.org:1604

Mutex

DC_MUTEX-CWXJ2HG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uEE4dQifbptz
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  Wolfteam/Hack.exe
- Size
  
  847KB
- MD5
  
  1d5349887bf319b3883a8e84797f2f0f
- SHA1
  
  3dd4311bdaee5164f1d4e4b3183fea9262a0a721
- SHA256
  
  a2aacc0b545223c09ebf8540450cd436d1fe4274b10660c4cb90b2dd35727a39
- SHA512
  
  e9faf7ad9998c6d0c9831eca28ad4822140d0b55dcb28974101a2b8e8a1fb0ef3a9f9aacc1f797440316a10dd3b03c6a13b4276b113d55689ce66825bc470680
- SSDEEP
  
  24576:JZ1xuVVjfFoynPaVBUR8f+kN10EB6LtxBezjJ348:zQDgok30PLtxcVd
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Wolfteam/SpeedTreeRT.dll
- Size
  
  1.7MB
- MD5
  
  1ac3d612389fa679f5ca3c6bab855145
- SHA1
  
  2f4f279d0c99c112db1adee5a3c324d0355fcbf5
- SHA256
  
  ddba9b9b427d541ebc0bf1221fffc5d56a85d7b8ee0dfe6370a83a133da6967b
- SHA512
  
  847376db96f3a3c1ab844fbf066f4e0e05b203769d7ca04fdf2463e86fc99ea1589054d1cc10ff70e45a5fb82a9e103edc2aa17b76cd94497cd49fedb6e06788
- SSDEEP
  
  49152:dlb1zb1jb1Rb14b1Rb1Lb1Rb12b1Rb1Nb1Rb1Rb1Rb1jb1rb1Rb1rb1Rb19b1Rb3:dlb1zb1jb1Rb14b1Rb1Lb1Rb12b1Rb1x
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Wolfteam/api_ms_win_core_interlocked_l1_1_0.dll
- Size
  
  19KB
- MD5
  
  aebb266ad5e92fdfabb4b21ce973ff51
- SHA1
  
  018a5ebf9dc68cfe243d6ab2a2ec6f9371804110
- SHA256
  
  7e58e8c6140bb8108e284b364261842a5fd19fa37c30e5dd3501669d8fd5108a
- SHA512
  
  d9fe0a673128bcb289ffb5f7799afb79e642997acb7ca3a3cfd165b9dd029ce40d98e7659eaa94cef39964d3d89af3bd1d44a220c246d73f08ba9642ec0b06d9
- SSDEEP
  
  384:8lYsFGWEhWrVcWVF0GftpBjyc4HRN789lVoPfKdx51:Dy+iwB81oHi
Score

3^/10

discovery
behavioral5
- Target
  
  Wolfteam/api_ms_win_core_synch_l1_1_0.dll
- Size
  
  20KB
- MD5
  
  981a70962828df80f65c822196daac8d
- SHA1
  
  1e9bc0925b963860c0755564f74b3fadb242f4eb
- SHA256
  
  d664f63c82b14e4d1cc52a1e6d0477b0ed9f333a12935e4e4ae2c223ca9d5437
- SHA512
  
  7222b99805e09069a7045818629eeac43119b8c1fe0a10cf4b840895f10187d14d7a253ca869edb9d03d54fd326d28c1aa0514cd3ec5d9661b71600b69173b3e
- SSDEEP
  
  384:Idv3V0dfpkXc0vVa3WEhWZcWVF0GftpBjfEc4HRN7j6l2cHvj:Idv3VqpkXc0vVaXu+iyBjVoj
Score

3^/10

discovery
behavioral6
- Target
  
  Wolfteam/api_ms_win_core_timezone_l1_1_0.dll
- Size
  
  18KB
- MD5
  
  fbfd4e793c857621f39f072eda5090df
- SHA1
  
  a58fc3833c54916b1f5bdf7a795782a3fd9350d2
- SHA256
  
  a64bc428270acd0abe920239d79930dd0bff1e800adf4d746e55d86d59edac25
- SHA512
  
  851e0f35cf4f2cd4b35c106e0cd1911b26116aa96592ce9cf788355ed17f72cf5e1c0833435bf1528300b8440e049b652391c13202721cdafa4b01c47461ec3b
- SSDEEP
  
  384:8WEhWXcWVF0GftpBjLdVLIUc4HRN7OE9Vl3t3Mgr:a8+ibVEUBOE9eQ
Score

3^/10

discovery
behavioral7
- Target
  
  Wolfteam/api_ms_win_crt_locale_l1_1_0.dll
- Size
  
  19KB
- MD5
  
  04e1358a7b9b4a90e9389bd669200e78
- SHA1
  
  314a23566764b0bf6e5e4f1d012595d6866d6418
- SHA256
  
  116f2ba1a53995feed6eecbe79452a0eb454e46d47f6253a756db662058bf473
- SHA512
  
  4ad23c8ff7ef26b7fb835943216f23ba0f2bfde4e2f7eae98926cfbaccd5574cc624b3f4b8203d682e724fd7b3593f0f318c49cb9ed153dc7ba1f92acfb7045f
- SSDEEP
  
  384:3WEhWbcWVF0GftpBjY1Acc4HRN77bdElImELQK:XQ+iI7B7beGj
Score

3^/10

discovery
behavioral8
- Target
  
  Wolfteam/python27.dll
- Size
  
  2.4MB
- MD5
  
  da8b71b282bb2c3e0ac3e0465e592e5d
- SHA1
  
  f3eaa7956a42dd65dc008d5621263ae4155eb204
- SHA256
  
  6c771faf75ac68d28f83509fc113288035978122dc49de8936d9011e0a9b20ab
- SHA512
  
  aa5c9c305b7d01eed4ed90afde0e4964071279ba64d0c5fa5743c70ecc039a841e437c6f850b5fdd770e61907aa55a98643545b1615829d4e420aac3eb133663
- SSDEEP
  
  49152:4772lrp7/cjrJvL41N9dmsQ9oxVEWTCQIcWHLQnCMr6PBxvR0phcQ:w7e31NKl9oMV7HcCMre9epX
Score

3^/10

discovery
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Darkcomet family

Modifies WinLogon for persistence

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10