darkcomet | 2a36bfa24a13cff48080cc90e8233561b63c7b0bca4fd36dea43a1012d6ed45a | Triage

Sharing

General

Target

JaffaCakes118_b65db09b7aa7715778918b2f4ef8df95
Size

1.2MB
Sample

250414-cx1f4axlw7
MD5

b65db09b7aa7715778918b2f4ef8df95
SHA1

d3a58b81ff9043cccdfa9b025d34e807b0d0aff6
SHA256

2a36bfa24a13cff48080cc90e8233561b63c7b0bca4fd36dea43a1012d6ed45a
SHA512

11468e8fa73b0b772d96c07fa8a28b54757102e8ea4e3f33ecbff8d4f7c90c3cf7259ec7869085ab8f949a472c98ecf128727b57f4f2953a8efd4b76a9d3945e
SSDEEP

24576:OzvKXRmFjLM+iq8eK4Fyu4DG6l7mpM52Tp1Qx:OzvKhoHM+sX4Fyu6xmpLp1Qx

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

Lolarne.no-ip.info:1604

Lolarne.no-ip.info:81

Mutex

DC_MUTEX-WQBMKHF

Attributes

gencode
8n81%wUw/*Ji
install
false
offline_keylogger
true
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_b65db09b7aa7715778918b2f4ef8df95
- Size
  
  1.2MB
- MD5
  
  b65db09b7aa7715778918b2f4ef8df95
- SHA1
  
  d3a58b81ff9043cccdfa9b025d34e807b0d0aff6
- SHA256
  
  2a36bfa24a13cff48080cc90e8233561b63c7b0bca4fd36dea43a1012d6ed45a
- SHA512
  
  11468e8fa73b0b772d96c07fa8a28b54757102e8ea4e3f33ecbff8d4f7c90c3cf7259ec7869085ab8f949a472c98ecf128727b57f4f2953a8efd4b76a9d3945e
- SSDEEP
  
  24576:OzvKXRmFjLM+iq8eK4Fyu4DG6l7mpM52Tp1Qx:OzvKhoHM+sX4Fyu6xmpLp1Qx
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Executes dropped EXE
- Uses the VBS compiler for execution
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan