darkcomet | a67a96c84573af7472e891c437426bc8562c45ea52a66492e5d3c100e06def09 | Triage

Sharing

General

Target

JaffaCakes118_a67a96c84573af7472e891c437426bc8562c45ea52a66492e5d3c100e06def09
Size

2.8MB
Sample

241230-ya6v9axqfw
MD5

7331cca7bea4f5d37d545c33fafeae6a
SHA1

59d3d7a74f9fcb669716abd8a9a49097b863c899
SHA256

a67a96c84573af7472e891c437426bc8562c45ea52a66492e5d3c100e06def09
SHA512

25de2de0bab020fba82b3a30bd7b3c3f17f53c54bf9ed1699040aef13b10d9159850a1bdbd450bfe05ae550d637ec7b31605b65c9d87176499aa91e4a805595b
SSDEEP

49152:tKSIBhxojxOittgUxuudBr2BS6dUil40ZTMlhtVQSIvaFE5ZyDsmI2h:tfIijcsIKBGhr40F6Qdva5Qih

Score

10^/10

darkcomet theoldback discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

THEOLDBACK

C2

cosrem.ddns.net:2301

cosrem.ddnsgeek.com:2301

cosrem.dyndns.org:2301

Mutex

DC_MUTEX-T4DJK1T

Attributes

gencode
cRqpT889gMa4
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  D075589CD45380AAB929C10CE82BABF63533A5025527B1F7F30B55059C5D0AD2
- Size
  
  3.0MB
- MD5
  
  c5e77ee2c96212dcb64b9ead1b746dd8
- SHA1
  
  816610afe4151c9fe59449f30922f68babd665fc
- SHA256
  
  d075589cd45380aab929c10ce82babf63533a5025527b1f7f30b55059c5d0ad2
- SHA512
  
  2e8418f8b82686a76f83bcf4890909fa2678f7b97c49b02de84f27af2dd503260047983fde4a99a69421dada89caf7db033ade27b1d457e227cc208c02544446
- SSDEEP
  
  49152:LAI+iYFsw8ob4+vrrQtgKNnZj/Y4JneyOLHgmk7V5Pz8IF+8Ieg9uRKcT2MOmZuY:LAI+irwbVrsgKrxOLAmk3IIsuIcT2MOg
Score

10^/10

darkcomet theoldback discovery rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomettheoldbackdiscoveryrattrojan

behavioral2

darkcomettheoldbackdiscoveryrattrojan