darkcomet | 89b49b220b567c00e81845006355a73d03724e12aeb998e0b287702d46caf8f5 | Triage

Sharing

General

Target

JaffaCakes118_6b8eb016996bec20cb8c37da4bc6aa55
Size

1.6MB
Sample

250103-k2mpsswphz
MD5

6b8eb016996bec20cb8c37da4bc6aa55
SHA1

6257b93b0e97c1813fb728a9209c188a22de7dc3
SHA256

89b49b220b567c00e81845006355a73d03724e12aeb998e0b287702d46caf8f5
SHA512

4ba0a05bc3849e7ff2a0b583f04f558de42a74717d87b3b98268eeb41e0f55f19212a5d7ba907f97184fe341588522bde385ff296cb0df91f3d15296003051df
SSDEEP

49152:3pQ1B+QV1YMr8bY0rOQxBgdr8PFmiKaNgcJUbvM:kBtUMr8bZKrwoi5NgcJEv

Score

10^/10

darkcomet koritsia discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

koritsia

C2

pamekala.no-ip.org:2520

Mutex

DC_MUTEX-DJDQH0Q

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
TCQx7ZeDpEBz
install
true
offline_keylogger
true
password
1234
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  JaffaCakes118_6b8eb016996bec20cb8c37da4bc6aa55
- Size
  
  1.6MB
- MD5
  
  6b8eb016996bec20cb8c37da4bc6aa55
- SHA1
  
  6257b93b0e97c1813fb728a9209c188a22de7dc3
- SHA256
  
  89b49b220b567c00e81845006355a73d03724e12aeb998e0b287702d46caf8f5
- SHA512
  
  4ba0a05bc3849e7ff2a0b583f04f558de42a74717d87b3b98268eeb41e0f55f19212a5d7ba907f97184fe341588522bde385ff296cb0df91f3d15296003051df
- SSDEEP
  
  49152:3pQ1B+QV1YMr8bY0rOQxBgdr8PFmiKaNgcJUbvM:kBtUMr8bZKrwoi5NgcJEv
Score

10^/10

darkcomet koritsia discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometkoritsiadiscoverypersistencerattrojan

behavioral2

darkcometkoritsiadiscoverypersistencerattrojan