darkcomet | a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10 | Triage

Resubmissions

05/02/2025, 07:18

250205-h48nyaxnbp 10

01/10/2022, 23:37

221001-3mk7jaddeq 10

Sharing

General

Target

a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
Size

690KB
Sample

250205-h48nyaxnbp
MD5

45bfee45177d62952de9c03f661c4b1a
SHA1

e12804084039f235b768a21594c9e20b9ddb0d1b
SHA256

a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
SHA512

288247162e0cd2dca6e0d51890a70694a2ffaf0b0983f41f0048271c74af16a9eb8175c0e9f6fd91325ca93423aafd6816278e93520308ce53372e4f848f1264
SSDEEP

12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9lI:JZ1xuVVjfFoynPaVBUR8f+kN10EBW

Score

10^/10

darkcomet guest16 android defense_evasion discovery linux macos persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-7R3QTTQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NPore9Jz402K
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
- Size
  
  690KB
- MD5
  
  45bfee45177d62952de9c03f661c4b1a
- SHA1
  
  e12804084039f235b768a21594c9e20b9ddb0d1b
- SHA256
  
  a4b196e112825232a260725c2651764ad8d2bdcc5974ee4b0a9c635c14b0eb10
- SHA512
  
  288247162e0cd2dca6e0d51890a70694a2ffaf0b0983f41f0048271c74af16a9eb8175c0e9f6fd91325ca93423aafd6816278e93520308ce53372e4f848f1264
- SSDEEP
  
  12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9lI:JZ1xuVVjfFoynPaVBUR8f+kN10EBW
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometguest16defense_evasiondiscoverypersistencerattrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9