darkcomet | 16a3594451a28ecd761dac457bd0c69e64da7cc757c7738a20f8b038f81884fc | Triage

Sharing

General

Target

JaffaCakes118_bad08d05cda85012139b65ae76b480d9
Size

541KB
Sample

250207-yj7txawlhp
MD5

bad08d05cda85012139b65ae76b480d9
SHA1

8afc8334c4ab0622e7dd7d5b6d5f5fccd6d098e9
SHA256

16a3594451a28ecd761dac457bd0c69e64da7cc757c7738a20f8b038f81884fc
SHA512

d264ff0797f883f15dd9fe6da0a2e4ca9ba561aa6d4cc5c1bc9d87de44b972e80b73976221555b1eb5eefbf1ac218c42d30e578df480655366a61a3ecfabfd88
SSDEEP

12288:XMmiZtBK5o8aJOveyr5hP5N7iwRMbnWdnI:XTizB0R2KP5N7iwR39I

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

tf25.zapto.org:1604

Mutex

DC_MUTEX-GWP842Q

Attributes

gencode
z/vWloEgu2ap
install
false
offline_keylogger
true
password
dropplace
persistence
false

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_bad08d05cda85012139b65ae76b480d9
- Size
  
  541KB
- MD5
  
  bad08d05cda85012139b65ae76b480d9
- SHA1
  
  8afc8334c4ab0622e7dd7d5b6d5f5fccd6d098e9
- SHA256
  
  16a3594451a28ecd761dac457bd0c69e64da7cc757c7738a20f8b038f81884fc
- SHA512
  
  d264ff0797f883f15dd9fe6da0a2e4ca9ba561aa6d4cc5c1bc9d87de44b972e80b73976221555b1eb5eefbf1ac218c42d30e578df480655366a61a3ecfabfd88
- SSDEEP
  
  12288:XMmiZtBK5o8aJOveyr5hP5N7iwRMbnWdnI:XTizB0R2KP5N7iwR39I
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometguest16defense_evasiondiscoverypersistencerattrojan