darkcomet

General

Target

d5ef64be0349c256013994a7cf238502aa5cfecdd2cb3d08dcb53cc8090e1f30.exe
Size

1.3MB
Sample

250108-qj9z9stmcp
MD5

c53ab36f5d13681b8e1580d5cfb7b8df
SHA1

f1085ca88e4a05f36e47a15c64eb2924d32ed4a0
SHA256

d5ef64be0349c256013994a7cf238502aa5cfecdd2cb3d08dcb53cc8090e1f30
SHA512

e28fdc5c3c45d4eb9c7209975f3dfae55e6d8eddff364471040ce273064eca24fa325070ef46e4ea89b3d73878f1ca0ba58bedd34de40939a19e7eef2ab50311
SSDEEP

24576:TYSj0spI7nYSj0spI7RYSj0spI7rYSj0spI7+qP9YsQnYoJU0oFGc:TYSY1nYSY1RYSY1rYSY1+89FOTSR

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Nubão

C2

prodigiohk.no-ip.org:6666

Mutex

Avast_Security-6PM6DD0

Attributes

InstallPath
Drivers\msdcsc.exe
gencode
Pnl2rf9hilzY
install
true
offline_keylogger
true
persistence
true
reg_key
Monitor Driver

Targets

- Target
  
  d5ef64be0349c256013994a7cf238502aa5cfecdd2cb3d08dcb53cc8090e1f30.exe
- Size
  
  1.3MB
- MD5
  
  c53ab36f5d13681b8e1580d5cfb7b8df
- SHA1
  
  f1085ca88e4a05f36e47a15c64eb2924d32ed4a0
- SHA256
  
  d5ef64be0349c256013994a7cf238502aa5cfecdd2cb3d08dcb53cc8090e1f30
- SHA512
  
  e28fdc5c3c45d4eb9c7209975f3dfae55e6d8eddff364471040ce273064eca24fa325070ef46e4ea89b3d73878f1ca0ba58bedd34de40939a19e7eef2ab50311
- SSDEEP
  
  24576:TYSj0spI7nYSj0spI7RYSj0spI7rYSj0spI7+qP9YsQnYoJU0oFGc:TYSY1nYSY1RYSY1rYSY1+89FOTSR
Score

10^/10

darkcomet nubão discovery evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2