darkcomet | 0c07452276e5f1aeb9141838ba111082f26d649e367260bcac79e7a53c87abe7 | Triage

Sharing

General

Target

JaffaCakes118_473bb96535577da629bae8d844609fd8
Size

1.1MB
Sample

250303-qhdwfaywat
MD5

473bb96535577da629bae8d844609fd8
SHA1

be59020bdd323d2c75f2103779a955439536127e
SHA256

0c07452276e5f1aeb9141838ba111082f26d649e367260bcac79e7a53c87abe7
SHA512

7188f0348c48bfe804774299685e1f23374f1d849e329f00869881bd7428ac905a4142c4d68651107f3189cd32a860e90c36f26a8fed9903bea1e9333a4b9be2
SSDEEP

24576:1pXSPXBknXGancJS9w5vpzcI3qP4SRmVQ:aPX9JSeBz6P4BV

Score

10^/10

darkcomet hawkeye zombie discovery keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Zombie

C2

sukui.zapto.org:81

Mutex

DC_MUTEX-PWN56G3

Attributes

gencode
jsCmksSUB�Uk
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_473bb96535577da629bae8d844609fd8
- Size
  
  1.1MB
- MD5
  
  473bb96535577da629bae8d844609fd8
- SHA1
  
  be59020bdd323d2c75f2103779a955439536127e
- SHA256
  
  0c07452276e5f1aeb9141838ba111082f26d649e367260bcac79e7a53c87abe7
- SHA512
  
  7188f0348c48bfe804774299685e1f23374f1d849e329f00869881bd7428ac905a4142c4d68651107f3189cd32a860e90c36f26a8fed9903bea1e9333a4b9be2
- SSDEEP
  
  24576:1pXSPXBknXGancJS9w5vpzcI3qP4SRmVQ:aPX9JSeBz6P4BV
Score

10^/10

darkcomet hawkeye zombie discovery keylogger persistence rat spyware stealer trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Hawkeye family
  hawkeye
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethawkeyezombiediscoverykeyloggerpersistenceratspywarestealertrojan

behavioral2

darkcomethawkeyezombiediscoverykeyloggerpersistenceratspywarestealertrojan