darkcomet | 3fcecfe7633ee202afa47aebbd3d48481fe46893a8df1eea3c8f371b52f7a363 | Triage

Sharing

General

Target

JaffaCakes118_6224b7f826c1b786bbf175ba83a1442d
Size

756KB
Sample

250102-c3kmts1nar
MD5

6224b7f826c1b786bbf175ba83a1442d
SHA1

88ffbbd46624b814611b609dd9b8b49d238c255c
SHA256

3fcecfe7633ee202afa47aebbd3d48481fe46893a8df1eea3c8f371b52f7a363
SHA512

00856a399fdd6324364e3f911a21b3b092ce09bf9290bd1e3dc4590e7d3c01f21bc53cf723bc9e65be8a830c4898eba94a9d9f33d1ede2e46c4ffa70b353ac06
SSDEEP

12288:39HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/htsvvs:RZ1xuVVjfFoynPaVBUR8f+kN10EB8vvs

Score

10^/10

darkcomet nmt3 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Nmt3

C2

anihilatorrat.no-ip.org:1604

Mutex

DC_MUTEX-1G7RFUM

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
RfRp6b1dmdnY
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  JaffaCakes118_6224b7f826c1b786bbf175ba83a1442d
- Size
  
  756KB
- MD5
  
  6224b7f826c1b786bbf175ba83a1442d
- SHA1
  
  88ffbbd46624b814611b609dd9b8b49d238c255c
- SHA256
  
  3fcecfe7633ee202afa47aebbd3d48481fe46893a8df1eea3c8f371b52f7a363
- SHA512
  
  00856a399fdd6324364e3f911a21b3b092ce09bf9290bd1e3dc4590e7d3c01f21bc53cf723bc9e65be8a830c4898eba94a9d9f33d1ede2e46c4ffa70b353ac06
- SSDEEP
  
  12288:39HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/htsvvs:RZ1xuVVjfFoynPaVBUR8f+kN10EB8vvs
Score

10^/10

darkcomet nmt3 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometnmt3discoveryevasionpersistencerattrojan

behavioral2

darkcometnmt3discoveryevasionpersistencerattrojan