darkcomet | 32c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab | Triage

Sharing

General

Target

JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de
Size

1.2MB
Sample

250207-m28y5sykcz
MD5

b64c82d841f0ca478ee4b052973ec8de
SHA1

1d6b7f8243fff0e5cd771e999c9098423e99eeb1
SHA256

32c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab
SHA512

1d9bfe0e21a6c1639eaa908fef16d3d6777fd0fb08ccd3c014600449fb5df8977fa58986a2afa49c4971b18f63ab802fa779d70e78d4fc3da7314dfbe5c38623
SSDEEP

12288:/V9QZXi5ITtw8xqm8LlO5/8h4+9Ymoxefl5QT5VVpJ5PCf/BPEsKZXCa6jpoLuJl:UTtNkoxBUJjTH6FyTKJ49HGjNA

Score

10^/10

darkcomet devilskartel discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DEVILSKARTEL

C2

murdak.no-ip.org:100

Mutex

DC_MUTEX-D4UU794

Attributes

InstallPath
MICROSOFTUPDATE.exe
gencode
oF.s0Pyx7UWi
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de
- Size
  
  1.2MB
- MD5
  
  b64c82d841f0ca478ee4b052973ec8de
- SHA1
  
  1d6b7f8243fff0e5cd771e999c9098423e99eeb1
- SHA256
  
  32c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab
- SHA512
  
  1d9bfe0e21a6c1639eaa908fef16d3d6777fd0fb08ccd3c014600449fb5df8977fa58986a2afa49c4971b18f63ab802fa779d70e78d4fc3da7314dfbe5c38623
- SSDEEP
  
  12288:/V9QZXi5ITtw8xqm8LlO5/8h4+9Ymoxefl5QT5VVpJ5PCf/BPEsKZXCa6jpoLuJl:UTtNkoxBUJjTH6FyTKJ49HGjNA
Score

10^/10

darkcomet devilskartel discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdevilskarteldiscoverypersistencerattrojan

behavioral2

darkcometdevilskarteldiscoverypersistencerattrojan