darkcomet | 01729c97c10457d709e4b9669a624db609e82ff20b65942b99bd814f14bfe536 | Triage

Sharing

General

Target

JaffaCakes118_8c55832a94ce16e0c6ec6a0bf9895784
Size

1.2MB
Sample

250329-vrj62a1ya1
MD5

8c55832a94ce16e0c6ec6a0bf9895784
SHA1

bb2313ac8f07cafa0cf82379237a5dfcd66f7118
SHA256

01729c97c10457d709e4b9669a624db609e82ff20b65942b99bd814f14bfe536
SHA512

afe0bf6dd4571e1809d0f5df1138c1d26307ca65ee748abccb854d50a7046814dcd71869a7519277857a66e484eeaf3e65f6a4507d4d3b500e17f770563837c0
SSDEEP

24576:AyFNA6AIKHdtTwNyMXOqaUicC9AnwAK7CTJKwjI+:TTySWWjI+

Score

10^/10

darkcomet latentbot fvictim defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

fvictim

C2

mranarchist11.zapto.org:1604

Mutex

DC_MUTEX-V90U3RC

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
YQruLKBbNyup
install
true
offline_keylogger
true
persistence
true
reg_key
GoogleUpdate

rc4.plain

Extracted

Family

latentbot

C2

mranarchist11.zapto.org

Targets

- Target
  
  JaffaCakes118_8c55832a94ce16e0c6ec6a0bf9895784
- Size
  
  1.2MB
- MD5
  
  8c55832a94ce16e0c6ec6a0bf9895784
- SHA1
  
  bb2313ac8f07cafa0cf82379237a5dfcd66f7118
- SHA256
  
  01729c97c10457d709e4b9669a624db609e82ff20b65942b99bd814f14bfe536
- SHA512
  
  afe0bf6dd4571e1809d0f5df1138c1d26307ca65ee748abccb854d50a7046814dcd71869a7519277857a66e484eeaf3e65f6a4507d4d3b500e17f770563837c0
- SSDEEP
  
  24576:AyFNA6AIKHdtTwNyMXOqaUicC9AnwAK7CTJKwjI+:TTySWWjI+
Score

10^/10

discovery darkcomet latentbot fvictim defense_evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Drops file in Drivers directory
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkcometlatentbotfvictimdefense_evasiondiscoverypersistencerattrojan