darkcomet | 34c843be3ed2097ad33741027bf04d74c9bb66089a9790d6c4caf4663766a963 | Triage

Sharing

General

Target

JaffaCakes118_3fedaaa6b14e21d998c10390b968ab3a
Size

792KB
Sample

250302-nkrtzatmx8
MD5

3fedaaa6b14e21d998c10390b968ab3a
SHA1

40247208ec288e37c71ff5b31e5a04588a5051ce
SHA256

34c843be3ed2097ad33741027bf04d74c9bb66089a9790d6c4caf4663766a963
SHA512

301fb9f50afc644185a70930f2ae640bdfbe9433d14175f696598dd2d9d5fd880519a2afca0a09017378c16535025d348e6dac34b4e28afd58be16c4ee250b27
SSDEEP

24576:VTCRQwVk9ARxR/GsrluIJrqM5tCUhXdrp:URNVXFGS35wo

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

vertexking.no-ip.org:999

Mutex

DC_MUTEX-LQMAH1E

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
nXqAHZmfTLW0
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_3fedaaa6b14e21d998c10390b968ab3a
- Size
  
  792KB
- MD5
  
  3fedaaa6b14e21d998c10390b968ab3a
- SHA1
  
  40247208ec288e37c71ff5b31e5a04588a5051ce
- SHA256
  
  34c843be3ed2097ad33741027bf04d74c9bb66089a9790d6c4caf4663766a963
- SHA512
  
  301fb9f50afc644185a70930f2ae640bdfbe9433d14175f696598dd2d9d5fd880519a2afca0a09017378c16535025d348e6dac34b4e28afd58be16c4ee250b27
- SSDEEP
  
  24576:VTCRQwVk9ARxR/GsrluIJrqM5tCUhXdrp:URNVXFGS35wo
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometguest16defense_evasiondiscoverypersistencerattrojan