darkcomet | b053a971958fe74b167b3016c5401bd748a618298e7056cc262d1614503c2d97 | Triage

Sharing

General

Target

JaffaCakes118_296038823b99f5ab9a767bfe6d4d6b31
Size

844KB
Sample

250226-3zy9xsxwdw
MD5

296038823b99f5ab9a767bfe6d4d6b31
SHA1

e1fb5df79b3bc12dda55f84bf913a286276366ab
SHA256

b053a971958fe74b167b3016c5401bd748a618298e7056cc262d1614503c2d97
SHA512

bc1e7aa6b82c1dfa31775e75d7c03e94df79a34030b0d9c544c4c9a5d6feee91faf14f5bbfff795769cb588118dc142d7c8a8b3be82018b7d5e5d799816ade86
SSDEEP

12288:vpupUrY6k0uHKBpoIZo89TiO/1CNRZo7tjWdT0zU5/JjExxQ/ixNRhDnk:vpupUr00uqDpZJTiIajJYxa/ixNRhTk

Score

10^/10

darkcomet 4c discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

4c

C2

hvtnecyusy.servequake.com:1604

Mutex

DC_MUTEX-XGTVTGV

Attributes

InstallPath
winupdate.exe
gencode
3#�zeRq./lce
install
true
offline_keylogger
true
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_296038823b99f5ab9a767bfe6d4d6b31
- Size
  
  844KB
- MD5
  
  296038823b99f5ab9a767bfe6d4d6b31
- SHA1
  
  e1fb5df79b3bc12dda55f84bf913a286276366ab
- SHA256
  
  b053a971958fe74b167b3016c5401bd748a618298e7056cc262d1614503c2d97
- SHA512
  
  bc1e7aa6b82c1dfa31775e75d7c03e94df79a34030b0d9c544c4c9a5d6feee91faf14f5bbfff795769cb588118dc142d7c8a8b3be82018b7d5e5d799816ade86
- SSDEEP
  
  12288:vpupUrY6k0uHKBpoIZo89TiO/1CNRZo7tjWdT0zU5/JjExxQ/ixNRhDnk:vpupUr00uqDpZJTiIajJYxa/ixNRhTk
Score

10^/10

darkcomet 4c discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomet4cdiscoverypersistencerattrojan

behavioral2