darkcomet | 4cd1a61c78ab7947e717bba9f8cddfc404294f1d4cfec5cdbf2526a30ebaed9e | Triage

Sharing

General

Target

JaffaCakes118_1d65aa7463edc2167b396bde72f44a11
Size

842KB
Sample

250223-baltratmep
MD5

1d65aa7463edc2167b396bde72f44a11
SHA1

446ffaf4daee028938050c130b00385d5070d7d2
SHA256

4cd1a61c78ab7947e717bba9f8cddfc404294f1d4cfec5cdbf2526a30ebaed9e
SHA512

7af906361047541cc75fe44958e2cde5916dac66c62fec13f1fd2fbf1ed6e38280cc96572453e9830d3055a3144439af9c2909b1c9ed2991d4eb0799b327d420
SSDEEP

12288:WrELIki3xtxnzu9YfsfR3nzPlXF3rZ9cPxERpCMb3yJ6Kc1ZfXTVNtRk9z4UeGj:rIV31uekjF9cYpCMb3y+NjVNtE/

Score

10^/10

darkcomet hacked defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hacked

C2

md5ppn.no-ip.org:5656

md5ppn.no-ip.biz:5656

md5ppn.no-ip.biz:20012

md5ppn.no-ip.org:20012

md5ppn.no-ip.org:81

md5ppn.no-ip.biz:81

Mutex

DC_MUTEX-48S18PP

Attributes

InstallPath
explorer.exe
gencode
YtE6cF00wTdB
install
true
offline_keylogger
true
persistence
true
reg_key
explorer

rc4.plain

Targets

- Target
  
  JaffaCakes118_1d65aa7463edc2167b396bde72f44a11
- Size
  
  842KB
- MD5
  
  1d65aa7463edc2167b396bde72f44a11
- SHA1
  
  446ffaf4daee028938050c130b00385d5070d7d2
- SHA256
  
  4cd1a61c78ab7947e717bba9f8cddfc404294f1d4cfec5cdbf2526a30ebaed9e
- SHA512
  
  7af906361047541cc75fe44958e2cde5916dac66c62fec13f1fd2fbf1ed6e38280cc96572453e9830d3055a3144439af9c2909b1c9ed2991d4eb0799b327d420
- SSDEEP
  
  12288:WrELIki3xtxnzu9YfsfR3nzPlXF3rZ9cPxERpCMb3yJ6Kc1ZfXTVNtRk9z4UeGj:rIV31uekjF9cYpCMb3y+NjVNtE/
Score

10^/10

darkcomet hacked defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Disables RegEdit via registry modification
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethackeddefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcomethackeddefense_evasiondiscoverypersistencerattrojan