darkcomet | 1c51fa06439b97b06dd793b6ffa378672233047008f7a92b75b85a4dbf7d1c64 | Triage

Sharing

General

Target

JaffaCakes118_8ad729b2555724910616233931ad7949
Size

1.0MB
Sample

250328-t4y1aayves
MD5

8ad729b2555724910616233931ad7949
SHA1

1e324fbe98fedf92c459e74675cfccd943a95f32
SHA256

1c51fa06439b97b06dd793b6ffa378672233047008f7a92b75b85a4dbf7d1c64
SHA512

3078a06641cd0e1b954d4105da844d3158010c077ed31a820945e0d1d1cf0e4afd7ebe5842187204532107a5ead7811f71abcc37fec18efb0c86f94a15cfbfed
SSDEEP

12288:uYpo/eUYOI4L2aZHZp7Ol8Oi1KxVwWnN1L2wvFt4MQzQ4WD9isjgk0cE3ZjpTANS:LK20R/A4m97sxgUdz3pZzfBpQyp5mi

Score

10^/10

darkcomet infected discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Infected

C2

486.no-ip.info:3070

Mutex

DC_MUTEX-9366JHV

Attributes

InstallPath
Winupd\winupd.exe
gencode
g�9XqzgXExMy
install
true
offline_keylogger
true
persistence
true
reg_key
windows Update

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_8ad729b2555724910616233931ad7949
- Size
  
  1.0MB
- MD5
  
  8ad729b2555724910616233931ad7949
- SHA1
  
  1e324fbe98fedf92c459e74675cfccd943a95f32
- SHA256
  
  1c51fa06439b97b06dd793b6ffa378672233047008f7a92b75b85a4dbf7d1c64
- SHA512
  
  3078a06641cd0e1b954d4105da844d3158010c077ed31a820945e0d1d1cf0e4afd7ebe5842187204532107a5ead7811f71abcc37fec18efb0c86f94a15cfbfed
- SSDEEP
  
  12288:uYpo/eUYOI4L2aZHZp7Ol8Oi1KxVwWnN1L2wvFt4MQzQ4WD9isjgk0cE3ZjpTANS:LK20R/A4m97sxgUdz3pZzfBpQyp5mi
Score

10^/10

darkcomet infected discovery rat trojan persistence
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometinfecteddiscoveryrattrojan

behavioral2

darkcometinfecteddiscoverypersistencerattrojan