darkcomet | df74421cd2e9f2c5c440a6ef6361829287093b79515fc70717dd126a3de5da4a | Triage

Sharing

General

Target

df74421cd2e9f2c5c440a6ef6361829287093b79515fc70717dd126a3de5da4aN.exe
Size

658KB
Sample

250109-fwepsaslbl
MD5

78ad87617025235760a058f10c63a900
SHA1

0d16e1ac88565aa1ad05a7b9d9b02ff0cb4aff88
SHA256

df74421cd2e9f2c5c440a6ef6361829287093b79515fc70717dd126a3de5da4a
SHA512

a4f3a5c633fe10da9eb699eb25e70fafeb40a0e868c1187933d29e88ad18fb4d0f3e5c6a527d42ac96b2d107fb005ae99e7e8ca8915376d8519c2311334032d0
SSDEEP

12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hC:+Z1xuVVjfFoynPaVBUR8f+kN10EB0

Score

10^/10

darkcomet latentbot asylum discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Asylum

C2

asylumisbaws.zapto.org:1604

Mutex

DCMIN_MUTEX-LZBRHSY

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
1upUuGNeNha7
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Extracted

Family

latentbot

C2

asylumisbaws.zapto.org

Targets

- Target
  
  df74421cd2e9f2c5c440a6ef6361829287093b79515fc70717dd126a3de5da4aN.exe
- Size
  
  658KB
- MD5
  
  78ad87617025235760a058f10c63a900
- SHA1
  
  0d16e1ac88565aa1ad05a7b9d9b02ff0cb4aff88
- SHA256
  
  df74421cd2e9f2c5c440a6ef6361829287093b79515fc70717dd126a3de5da4a
- SHA512
  
  a4f3a5c633fe10da9eb699eb25e70fafeb40a0e868c1187933d29e88ad18fb4d0f3e5c6a527d42ac96b2d107fb005ae99e7e8ca8915376d8519c2311334032d0
- SSDEEP
  
  12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hC:+Z1xuVVjfFoynPaVBUR8f+kN10EB0
Score

10^/10

darkcomet latentbot asylum discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

asylumdarkcomet

behavioral1

darkcometlatentbotasylumdiscoverypersistencerattrojan

behavioral2

darkcometlatentbotasylumdiscoverypersistencerattrojan