darkcomet | ec118b8293d0b1683a004d4156eca929f4651771a8ed3197063107e770d35462 | Triage

Sharing

General

Target

ec118b8293d0b1683a004d4156eca929f4651771a8ed3197063107e770d35462.exe
Size

1.3MB
Sample

250109-cqyzpatnb1
MD5

2551f955c536e60dc4928e243ab2136d
SHA1

ac9602b5f24a097b20fcfdc1e41c6656ab6e5ede
SHA256

ec118b8293d0b1683a004d4156eca929f4651771a8ed3197063107e770d35462
SHA512

b892be40eab009bf22cd92f1b93bb9bbb954585d2e0ebe2cd1001f7bcc80e65e2f0c0f974d1abe23885c0a1b38d8b37f079e21ad64d5ca1dada230e0222e09e1
SSDEEP

24576:URmJkcoQricOIQxiZY1ianbPG48TIHm0X8zizW1EIpVP13WDc6ma:xJZoQrbTFZY1ianh8T90XFILoDcxa

Score

10^/10

darkcomet spoof discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

spoof

C2

spoofdns.no-ip.org:1604

Mutex

DCMIN_MUTEX-0R4X7F9

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
q312Ub2N15X4
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  ec118b8293d0b1683a004d4156eca929f4651771a8ed3197063107e770d35462.exe
- Size
  
  1.3MB
- MD5
  
  2551f955c536e60dc4928e243ab2136d
- SHA1
  
  ac9602b5f24a097b20fcfdc1e41c6656ab6e5ede
- SHA256
  
  ec118b8293d0b1683a004d4156eca929f4651771a8ed3197063107e770d35462
- SHA512
  
  b892be40eab009bf22cd92f1b93bb9bbb954585d2e0ebe2cd1001f7bcc80e65e2f0c0f974d1abe23885c0a1b38d8b37f079e21ad64d5ca1dada230e0222e09e1
- SSDEEP
  
  24576:URmJkcoQricOIQxiZY1ianbPG48TIHm0X8zizW1EIpVP13WDc6ma:xJZoQrbTFZY1ianh8T90XFILoDcxa
Score

10^/10

darkcomet spoof discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometspoofdiscoverypersistencerattrojan

behavioral2

darkcometspoofdiscoverypersistencerattrojan