darkcomet | 9c8c9d60f5ff9e6c73c86ac03ef7219890a05021f9cdde8405aa3f6074336281 | Triage

Sharing

General

Target

9c8c9d60f5ff9e6c73c86ac03ef7219890a05021f9cdde8405aa3f6074336281
Size

718KB
Sample

250223-cmvg4awns6
MD5

0b24ce0108d97bebaf6b7fc8227806b0
SHA1

42024f471677e42b653dc652becb814da3aba8ea
SHA256

9c8c9d60f5ff9e6c73c86ac03ef7219890a05021f9cdde8405aa3f6074336281
SHA512

eeec681103e82c2c22ac2067a3363cdfda25fad91846e1e36c1bd00166758b490c6a47b8745d3b7f6885a0902bde35a41b366f5aeb2f64bd9f9d304c7a716103
SSDEEP

12288:UA3dAGVnn/jOXuWjfua4exV8ZR4AU3Dx0VUuV9BGfg0vnW+gMB5RHBZxMq/Njno:x3dAG5n/jUuC7xVsRbgDOVrBGo0vXlHd

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-VQPDBQ3

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
agBvrXCiCZpQ
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  9c8c9d60f5ff9e6c73c86ac03ef7219890a05021f9cdde8405aa3f6074336281
- Size
  
  718KB
- MD5
  
  0b24ce0108d97bebaf6b7fc8227806b0
- SHA1
  
  42024f471677e42b653dc652becb814da3aba8ea
- SHA256
  
  9c8c9d60f5ff9e6c73c86ac03ef7219890a05021f9cdde8405aa3f6074336281
- SHA512
  
  eeec681103e82c2c22ac2067a3363cdfda25fad91846e1e36c1bd00166758b490c6a47b8745d3b7f6885a0902bde35a41b366f5aeb2f64bd9f9d304c7a716103
- SSDEEP
  
  12288:UA3dAGVnn/jOXuWjfua4exV8ZR4AU3Dx0VUuV9BGfg0vnW+gMB5RHBZxMq/Njno:x3dAG5n/jUuC7xVsRbgDOVrBGo0vXlHd
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2