darkcomet | 43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d | Triage

Sharing

General

Target

JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d
Size

1016KB
Sample

250123-vfm4jswmft
MD5

19440ea43f191a1dfddab2d1304ce41d
SHA1

bfca30a3717e82bb1628ebe618b2ad643113111f
SHA256

43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d
SHA512

63dc43aae9fc9c1878a6916857cbd74a74c9ce19abb91a4eb2d27a60cc7694f9e3889f918a2be41183b77d7c6214050546dcbb72eaf8d82d35677964c2f8c523
SSDEEP

12288:qkd9asya3CevNS8eIfkJMx3zUWOBv6KxYP2iq5zgDCTQqHBtveUK2/k1JHnKlKeN:Vcst3CMlx2qb8vxYvTDdqH6Ul/k3Hnh

Score

10^/10

darkcomet guest16 defense_evasion discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

monasalam.no-ip.org:443

192.168.80.128:443

Mutex

DC_MUTEX-9TJWCM4

Attributes

gencode
Qa5T4Rt0Td8L
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  JaffaCakes118_19440ea43f191a1dfddab2d1304ce41d
- Size
  
  1016KB
- MD5
  
  19440ea43f191a1dfddab2d1304ce41d
- SHA1
  
  bfca30a3717e82bb1628ebe618b2ad643113111f
- SHA256
  
  43dae29cd78435bf66ef5fe4f28a2450f2ef0817eb5464b199bc9cbf1bcb9b7d
- SHA512
  
  63dc43aae9fc9c1878a6916857cbd74a74c9ce19abb91a4eb2d27a60cc7694f9e3889f918a2be41183b77d7c6214050546dcbb72eaf8d82d35677964c2f8c523
- SSDEEP
  
  12288:qkd9asya3CevNS8eIfkJMx3zUWOBv6KxYP2iq5zgDCTQqHBtveUK2/k1JHnKlKeN:Vcst3CMlx2qb8vxYvTDdqH6Ul/k3Hnh
Score

10^/10

darkcomet guest16 defense_evasion discovery rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies firewall policy service
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16defense_evasiondiscoveryrattrojan

behavioral2

darkcometguest16defense_evasiondiscoveryrattrojan