darkcomet | 938bd9bc72679a0fa7c58952f47648187c7ff0b3fad92dae6826f3f82c42da1c | Triage

Sharing

General

Target

JaffaCakes118_aafee799316c875555aa6e4b93910716
Size

783KB
Sample

250410-vcsjvsxvhx
MD5

aafee799316c875555aa6e4b93910716
SHA1

c3c36f7c1b27ff26d604a7c4e1e120963a47848e
SHA256

938bd9bc72679a0fa7c58952f47648187c7ff0b3fad92dae6826f3f82c42da1c
SHA512

61944991b47b02d2fa57360aeb38b76f8fa06554c01d4b849aa4bc77e71c590c59783b3cf9c1e8f594bb4512b0f123f4323c1a3af009d108ebc144857ff2a579
SSDEEP

12288:ANGPl7a/Pvi+9kHT2EZfHtGbCPlmQa4hTDD4zrj7vE169j0jmUTWuoA6:9PlOPviFT1wbMlvuf3n9jGrT9oB

Score

10^/10

darkcomet latentbot office defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

office

C2

boottheworld.zapto.org:8565

Mutex

DC_MUTEX-2JAEW7Q

Attributes

InstallPath
svchost\svchost.exe
gencode
p5oiCq-DXtYQ
install
true
offline_keylogger
false
password
d257389q
persistence
true
reg_key
svchost

rc4.plain

Extracted

Family

latentbot

C2

boottheworld.zapto.org

Targets

- Target
  
  JaffaCakes118_aafee799316c875555aa6e4b93910716
- Size
  
  783KB
- MD5
  
  aafee799316c875555aa6e4b93910716
- SHA1
  
  c3c36f7c1b27ff26d604a7c4e1e120963a47848e
- SHA256
  
  938bd9bc72679a0fa7c58952f47648187c7ff0b3fad92dae6826f3f82c42da1c
- SHA512
  
  61944991b47b02d2fa57360aeb38b76f8fa06554c01d4b849aa4bc77e71c590c59783b3cf9c1e8f594bb4512b0f123f4323c1a3af009d108ebc144857ff2a579
- SSDEEP
  
  12288:ANGPl7a/Pvi+9kHT2EZfHtGbCPlmQa4hTDD4zrj7vE169j0jmUTWuoA6:9PlOPviFT1wbMlvuf3n9jGrT9oB
Score

10^/10

darkcomet latentbot office defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotofficedefense_evasiondiscoverypersistencerattrojan