darkcomet | cc8c8a7d034f5141dc99c14d1910b065ee3ab2debc5e5ac409f6612a8c2d2c61 | Triage

Sharing

General

Target

JaffaCakes118_1e49a062f5e951716ade7657fd2eb4e0
Size

514KB
Sample

250223-ea6eyaxrs3
MD5

1e49a062f5e951716ade7657fd2eb4e0
SHA1

2c717266647f7be48837a77af886199ad51a6831
SHA256

cc8c8a7d034f5141dc99c14d1910b065ee3ab2debc5e5ac409f6612a8c2d2c61
SHA512

c4af7902e6b4f84ca27d5084cb7aeb10a8ab8f8ee4fb3b012d9d0796d941f2535e9880cba73dc7b9d83a236d87352f9c5340b764e6e39a5b3089f827c56035d3
SSDEEP

12288:pWbD0SPCqQs0Nb50sY5xLoJ0Yi9ZvhYFdvch+481K1yFUdkY:MbD0SPCZLOX0Wr9ZviDk80g2kY

Score

10^/10

darkcomet 1.0 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

1.0

C2

facebook.istmein.de:200

facebook.istmein.de:1194

l0fls.hopto.org:200

Mutex

DC_MUTEX-UUVR2L2

Attributes

InstallPath
Roaming\Microsoft\svchost.exe
gencode
aC80Ajlf1Yr3
install
true
offline_keylogger
true
password
Noway123
persistence
true
reg_key
svchost

rc4.plain

Targets

- Target
  
  JaffaCakes118_1e49a062f5e951716ade7657fd2eb4e0
- Size
  
  514KB
- MD5
  
  1e49a062f5e951716ade7657fd2eb4e0
- SHA1
  
  2c717266647f7be48837a77af886199ad51a6831
- SHA256
  
  cc8c8a7d034f5141dc99c14d1910b065ee3ab2debc5e5ac409f6612a8c2d2c61
- SHA512
  
  c4af7902e6b4f84ca27d5084cb7aeb10a8ab8f8ee4fb3b012d9d0796d941f2535e9880cba73dc7b9d83a236d87352f9c5340b764e6e39a5b3089f827c56035d3
- SSDEEP
  
  12288:pWbD0SPCqQs0Nb50sY5xLoJ0Yi9ZvhYFdvch+481K1yFUdkY:MbD0SPCZLOX0Wr9ZviDk80g2kY
Score

10^/10

darkcomet 1.0 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomet1.0discoverypersistencerattrojan

behavioral2

darkcomet1.0discoverypersistencerattrojan