darkcomet | bd66794fc5f240473bc307053fcb8bb547fe900591c71ebf35d8e80e6d56042c | Triage

Sharing

General

Target

JaffaCakes118_780b6a602e2f2ae248a99839708e9850
Size

637KB
Sample

250104-gpqzxawjhy
MD5

780b6a602e2f2ae248a99839708e9850
SHA1

e30854c4499d4e4072df90baf31c92d60576ec6c
SHA256

bd66794fc5f240473bc307053fcb8bb547fe900591c71ebf35d8e80e6d56042c
SHA512

5707fe9a1f95113aac54d9e9d9505cffec0fcad252b17b1dee5b3e57de59e5a7171c2566fc5d86d76fdd2050a22725d7cc019e961315a064588185e8e9e036ad
SSDEEP

12288:DXcwNT1q5AXo9BoiFrUtos+55ejmqEzaPUsVf33Zas+AGgWiPXvNWJ2qiqp6Uh8D:bcOIX6toH52Q8RaNAGgWivvNWJ9iqth6

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

lakaisucksbigcawks.no-ip.biz:3940

Mutex

DCMIN_MUTEX-Z56GG71

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
1zWRnrU8ybNP
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  Mtgox-Code.com
- Size
  
  661KB
- MD5
  
  3f1f75ca7d74031e8bbe925ea13bf649
- SHA1
  
  d5a678dd4228344cb7731ee1bd801e91482b3bcc
- SHA256
  
  89dba6832997b562206c404764c9644d6a5df70429a02c1ee809b081549efeda
- SHA512
  
  67ade3dc6926d09e5126c2348daa70d651c84b69c41135506ebc5e723fa96887b3983ca457dc5642b95e966f860bd3a91b9e63360073d429fc2a1fe080869f9a
- SSDEEP
  
  12288:O/cwfT1qnAXoDBoiFtUt4sgj5eXmqE5aBUsVVP3Nas+AGgaiPXvNsJ2qiqt6UOz8:acqchIt4F5U28naNAGgaivvNsJ9iqBIo
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2

darkcometguest16_mindiscoverypersistencerattrojan