darkcomet | 1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915 | Triage

Sharing

General

Target

NanoCore.exe
Size

1.1MB
Sample

250113-zg6dqsxkdv
MD5

e4aeb7b31d677a5a9a58a4762fab1321
SHA1

a5e7279b6d59236296031ff87976e33fbd8cf34d
SHA256

1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915
SHA512

964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa
SSDEEP

24576:sdZ1xuVVjfFoynPaVBUR8f+kN10EBIQXiClSI5tIkjh:snQDgok30Edb

Score

10^/10

darkcomet nanocore idman discovery evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

IDMAN

C2

arrivals.ddns.net:2323

Mutex

DC_MUTEX-391X2ZJ

Attributes

InstallPath
MSDCSC\IDMAN.exe
gencode
CUWbhGwmWBMb
install
true
offline_keylogger
true
persistence
true
reg_key
IDMAN

Targets

- Target
  
  NanoCore.exe
- Size
  
  1.1MB
- MD5
  
  e4aeb7b31d677a5a9a58a4762fab1321
- SHA1
  
  a5e7279b6d59236296031ff87976e33fbd8cf34d
- SHA256
  
  1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915
- SHA512
  
  964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa
- SSDEEP
  
  24576:sdZ1xuVVjfFoynPaVBUR8f+kN10EBIQXiClSI5tIkjh:snQDgok30Edb
Score

10^/10

darkcomet nanocore idman discovery evasion keylogger persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

darkcometnanocore

behavioral1

darkcometnanocoreidmandiscoveryevasionkeyloggerpersistenceratspywarestealertrojan

behavioral2

darkcometnanocoreidmandiscoveryevasionkeyloggerpersistenceratspywarestealertrojan