darkcomet | 28ee0c31b4b8c0f850efd6d49073e9f2735c7587b0099190f0ca7d668c59a398 | Triage

Submit
Reports

Overview

overview

Static

static

yes.exe

windows10-2004-x64

Sharing

General

Target

yes.exe.exe
Size

251KB
Sample

250330-sy3wlstpx5
MD5

61c55a38fb0de6ab47ccf098c827f9aa
SHA1

20593bb3d4b57ec87a3edb64d0492aa9dde3c259
SHA256

28ee0c31b4b8c0f850efd6d49073e9f2735c7587b0099190f0ca7d668c59a398
SHA512

e19cf44348ee6e3a3c55c5402c7c54dddedb0c8bccfeebf08aa49acf2393134c53d579521f9322461109747ea2f1e99fa4488f5e3e784324e425918f844b4ba5
SSDEEP

6144:mcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37a:mcW7KEZlPzCy37

Score

10^/10

darkcomet gcplayer23 defense_evasion discovery persistence rat trojan upx

Static task

static1

upx gcplayer23 darkcomet

3 signatures

Behavioral task

behavioral1

Sample

yes.exe

Resource

win10v2004-20250314-en

darkcomet gcplayer23 defense_evasion discovery persistence rat trojan upx

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

gcplayer23

C2

4.tcp.eu.ngrok.io:19834

Mutex

GC_MUTEX-17DFY2D

Attributes

InstallPath
Pekora\pekora.exe
gencode
UuWZrVebAwmk
install
true
offline_keylogger
true
persistence
true
reg_key
Pekora

rc4.plain

Targets

- Target
  
  yes.exe.exe
- Size
  
  251KB
- MD5
  
  61c55a38fb0de6ab47ccf098c827f9aa
- SHA1
  
  20593bb3d4b57ec87a3edb64d0492aa9dde3c259
- SHA256
  
  28ee0c31b4b8c0f850efd6d49073e9f2735c7587b0099190f0ca7d668c59a398
- SHA512
  
  e19cf44348ee6e3a3c55c5402c7c54dddedb0c8bccfeebf08aa49acf2393134c53d579521f9322461109747ea2f1e99fa4488f5e3e784324e425918f844b4ba5
- SSDEEP
  
  6144:mcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37a:mcW7KEZlPzCy37
Score

10^/10

darkcomet gcplayer23 defense_evasion discovery persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

upxgcplayer23darkcomet

behavioral1

darkcometgcplayer23defense_evasiondiscoverypersistencerattrojanupx

© 2018-2025

Terms | Privacy