darkcomet | 1269d0e2254b5b7244a3040f6f6f30be510e89b289e43c57a95ef7e9eb2acd17 | Triage

Sharing

General

Target

1269d0e2254b5b7244a3040f6f6f30be510e89b289e43c57a95ef7e9eb2acd17
Size

746KB
Sample

250223-y1cebsxjs6
MD5

16033e6fdc377f1d513448e50b17b26e
SHA1

a820b81fef640df0bf88480817d1d0b8e6be4171
SHA256

1269d0e2254b5b7244a3040f6f6f30be510e89b289e43c57a95ef7e9eb2acd17
SHA512

8f7efde7e791cc7ceb763cd9b815619cc25ef90e16db15d435ded885ba8d826f69e801da148b339de61fb29a01f1cb72e4c3aff8f41d2843fb8031eddf0d2bc1
SSDEEP

12288:c6A84PaHhfD/tV9sj5NKR0pau9XGyu2i5NG/hg6Nlh:xAmBpVKHu0Mu9Xo2ENG/XNn

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

asdfghjas.3322.org:1604

Mutex

DC_MUTEX-6W3ZS70

Attributes

InstallPath
program\svchost.exe
gencode
NvpM4QYjTaRf
install
true
offline_keylogger
true
persistence
false
reg_key
program

rc4.plain

Targets

- Target
  
  1269d0e2254b5b7244a3040f6f6f30be510e89b289e43c57a95ef7e9eb2acd17
- Size
  
  746KB
- MD5
  
  16033e6fdc377f1d513448e50b17b26e
- SHA1
  
  a820b81fef640df0bf88480817d1d0b8e6be4171
- SHA256
  
  1269d0e2254b5b7244a3040f6f6f30be510e89b289e43c57a95ef7e9eb2acd17
- SHA512
  
  8f7efde7e791cc7ceb763cd9b815619cc25ef90e16db15d435ded885ba8d826f69e801da148b339de61fb29a01f1cb72e4c3aff8f41d2843fb8031eddf0d2bc1
- SSDEEP
  
  12288:c6A84PaHhfD/tV9sj5NKR0pau9XGyu2i5NG/hg6Nlh:xAmBpVKHu0Mu9Xo2ENG/XNn
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometguest16defense_evasiondiscoverypersistencerattrojan