darkcomet | 5918de565bef17006e9b3ec2ef017d786aad4f27f2912fea242d471f52e33652 | Triage

Sharing

General

Target

JaffaCakes118_2bd7cd4c15fa82d33dfbbd63fe751be6
Size

1.4MB
Sample

250227-jy7p5asnt7
MD5

2bd7cd4c15fa82d33dfbbd63fe751be6
SHA1

0876eedc0333955f4c471c2cec441e4155e9e71f
SHA256

5918de565bef17006e9b3ec2ef017d786aad4f27f2912fea242d471f52e33652
SHA512

17839fee0efa17e108a909768ca5e195673338177ea7f3b919436fd3c2cfdab8a441eec546337cec04df6f5e3a4017f6885ad855d67cb9f0efbc3a8643ad74f7
SSDEEP

24576:kRmJkcoQricOIQxiZY1ia3BEX7o0wAZbn8DEu94ZcvAm45:hJZoQrbTFZY1iaREXk0wWbT+4+om45

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

176.31.65.184:1604

Mutex

DCMIN_MUTEX-GMFC3TS

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
ysRvVVnKt7W8
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

rc4.plain

Targets

- Target
  
  JaffaCakes118_2bd7cd4c15fa82d33dfbbd63fe751be6
- Size
  
  1.4MB
- MD5
  
  2bd7cd4c15fa82d33dfbbd63fe751be6
- SHA1
  
  0876eedc0333955f4c471c2cec441e4155e9e71f
- SHA256
  
  5918de565bef17006e9b3ec2ef017d786aad4f27f2912fea242d471f52e33652
- SHA512
  
  17839fee0efa17e108a909768ca5e195673338177ea7f3b919436fd3c2cfdab8a441eec546337cec04df6f5e3a4017f6885ad855d67cb9f0efbc3a8643ad74f7
- SSDEEP
  
  24576:kRmJkcoQricOIQxiZY1ia3BEX7o0wAZbn8DEu94ZcvAm45:hJZoQrbTFZY1iaREXk0wWbT+4+om45
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2

darkcometguest16_mindiscoverypersistencerattrojan