darkcomet | 2530fd7526e7258be395e2714294e27b5c746d96b027e6fc932530439bf699d4 | Triage

Sharing

General

Target

JaffaCakes118_2f7016b37139cfdb90de1b3abefc8e10
Size

954KB
Sample

250227-zccwmayqs2
MD5

2f7016b37139cfdb90de1b3abefc8e10
SHA1

875034536e5e985b682696278d27f99d8e5d35f0
SHA256

2530fd7526e7258be395e2714294e27b5c746d96b027e6fc932530439bf699d4
SHA512

7644a4b19aaf86ee57c3849dafe5618b6ba6a89c75d3dd19ed85c3685bf6b3dcd96094db8e4d56f48d16181dcbbe3479f34f77c00c98ec43f662ff890ef299a5
SSDEEP

24576:w5403o25rcHLIuzPm4BXHULgy8XuxFi6l43S:wFpUDm+X9+

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ittechsupport221.no-ip.biz:1604

Mutex

DC_MUTEX-AHK2LFX

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
VpvSCZEtm94V
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_2f7016b37139cfdb90de1b3abefc8e10
- Size
  
  954KB
- MD5
  
  2f7016b37139cfdb90de1b3abefc8e10
- SHA1
  
  875034536e5e985b682696278d27f99d8e5d35f0
- SHA256
  
  2530fd7526e7258be395e2714294e27b5c746d96b027e6fc932530439bf699d4
- SHA512
  
  7644a4b19aaf86ee57c3849dafe5618b6ba6a89c75d3dd19ed85c3685bf6b3dcd96094db8e4d56f48d16181dcbbe3479f34f77c00c98ec43f662ff890ef299a5
- SSDEEP
  
  24576:w5403o25rcHLIuzPm4BXHULgy8XuxFi6l43S:wFpUDm+X9+
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan