darkcomet

General

Target

7639776db988583b407620c0fbdeb6b320876e9eca997ccb0f2bc2a379b0f035.exe
Size

756KB
Sample

250212-qmmddaspfl
MD5

29e0da04e8aa29efc9a91358cffbafc7
SHA1

16590f4e92c1cfef08237f08b48cdccb2c7e4cfc
SHA256

7639776db988583b407620c0fbdeb6b320876e9eca997ccb0f2bc2a379b0f035
SHA512

77b9bd299093671ed967c01fc5dbe3e89b484c4c75fdb3294b96f8e5aca17be5145010e04fd5112bf056e6c273bba13f07c1269898b66cf520bea34dfcecc870
SSDEEP

12288:K9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/ht:GZ1xuVVjfFoynPaVBUR8f+kN10EBv

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Mucix

C2

heybeybidonunneydi.no-ip.org:15963

civcivessek.no-ip.org:15963

Mutex

DC_MUTEX-Y88TJ9D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Fs9Wry9kctNE
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  7639776db988583b407620c0fbdeb6b320876e9eca997ccb0f2bc2a379b0f035.exe
- Size
  
  756KB
- MD5
  
  29e0da04e8aa29efc9a91358cffbafc7
- SHA1
  
  16590f4e92c1cfef08237f08b48cdccb2c7e4cfc
- SHA256
  
  7639776db988583b407620c0fbdeb6b320876e9eca997ccb0f2bc2a379b0f035
- SHA512
  
  77b9bd299093671ed967c01fc5dbe3e89b484c4c75fdb3294b96f8e5aca17be5145010e04fd5112bf056e6c273bba13f07c1269898b66cf520bea34dfcecc870
- SSDEEP
  
  12288:K9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/ht:GZ1xuVVjfFoynPaVBUR8f+kN10EBv
Score

10^/10

darkcomet mucix defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2