darkcomet | 80e3e57fb6aada9da17a4474b3a871e61ceb24053ce295405912498af6cf75f4 | Triage

Sharing

General

Target

JaffaCakes118_7a803f896396793f1c310e37ccd75830
Size

729KB
Sample

250104-s6pzqawjdx
MD5

7a803f896396793f1c310e37ccd75830
SHA1

eff35c28bb048731602355687d71b8b09ca9fa11
SHA256

80e3e57fb6aada9da17a4474b3a871e61ceb24053ce295405912498af6cf75f4
SHA512

e94700e5635248cad7a79b9a8032b68df1b0d60e970fd8b901f2be0616777a66d41e6d81d65405e8d5d823a8dd1155bfc9bb8224bfc0539b9bcc54d1a2e2c83d
SSDEEP

12288:D2vRcIdCtImmDcwvxPnHnuKMM1SSqkV+MrEljp1KAGJpx:iZZCIDvxPHnvX1A/M4Zp1Gj

Score

10^/10

darkcomet ab rio int discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

AB Rio INT

C2

facebookmsg.no-ip.org:666

Mutex

DC_MUTEX-ZNC3EV6

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
0HzX5u7cZVK1
install
true
offline_keylogger
true
password
SUN123
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  JaffaCakes118_7a803f896396793f1c310e37ccd75830
- Size
  
  729KB
- MD5
  
  7a803f896396793f1c310e37ccd75830
- SHA1
  
  eff35c28bb048731602355687d71b8b09ca9fa11
- SHA256
  
  80e3e57fb6aada9da17a4474b3a871e61ceb24053ce295405912498af6cf75f4
- SHA512
  
  e94700e5635248cad7a79b9a8032b68df1b0d60e970fd8b901f2be0616777a66d41e6d81d65405e8d5d823a8dd1155bfc9bb8224bfc0539b9bcc54d1a2e2c83d
- SSDEEP
  
  12288:D2vRcIdCtImmDcwvxPnHnuKMM1SSqkV+MrEljp1KAGJpx:iZZCIDvxPHnvX1A/M4Zp1Gj
Score

10^/10

darkcomet ab rio int discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometab rio intdiscoveryevasionpersistencerattrojan

behavioral2

darkcometab rio intdiscoveryevasionpersistencerattrojan