darkcomet | c804d9616b654301e9803b4fb869e4cdbcc55bf1444cbef6aaa0adf4f85f39e6 | Triage

Sharing

General

Target

c804d9616b654301e9803b4fb869e4cdbcc55bf1444cbef6aaa0adf4f85f39e6.exe
Size

667KB
Sample

250216-q27mvszkdv
MD5

dfd40fba93e4ad79fcbffb33c9f459f7
SHA1

59ec68c8c481d265b23d526e584d332f064c70b5
SHA256

c804d9616b654301e9803b4fb869e4cdbcc55bf1444cbef6aaa0adf4f85f39e6
SHA512

2f85f0b781f16a07b1d719c293d36ddae45105047f4a345cef5c996dbb51a366c4250c743b5cbf518036791150dcac1ef3f966dcf1fb9a000c1be68dcb6f56e2
SSDEEP

12288:6X2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Qs:Ess2Sm39NNv9wY7tHwbzfIoK6MoX

Score

10^/10

darkcomet victimes defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victimes

C2

foxiland.no-ip.info:1605

Mutex

DC_MUTEX-JA9LRF4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
fi9F5LG8zDJG
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  c804d9616b654301e9803b4fb869e4cdbcc55bf1444cbef6aaa0adf4f85f39e6.exe
- Size
  
  667KB
- MD5
  
  dfd40fba93e4ad79fcbffb33c9f459f7
- SHA1
  
  59ec68c8c481d265b23d526e584d332f064c70b5
- SHA256
  
  c804d9616b654301e9803b4fb869e4cdbcc55bf1444cbef6aaa0adf4f85f39e6
- SHA512
  
  2f85f0b781f16a07b1d719c293d36ddae45105047f4a345cef5c996dbb51a366c4250c743b5cbf518036791150dcac1ef3f966dcf1fb9a000c1be68dcb6f56e2
- SSDEEP
  
  12288:6X2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Qs:Ess2Sm39NNv9wY7tHwbzfIoK6MoX
Score

10^/10

darkcomet victimes defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

victimesdarkcomet

behavioral1

darkcometvictimesdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometvictimesdefense_evasiondiscoverypersistencerattrojan