darkcomet | 74f53540e84983f13274e5b0e9f9f73f9a4033306d6829154bfb21842cf38bb8 | Triage

Sharing

General

Target

JaffaCakes118_ba52bfc4275afe6693c885a0e0a249a5
Size

675KB
Sample

250417-vcrybsxlv6
MD5

ba52bfc4275afe6693c885a0e0a249a5
SHA1

ee24219b42f86ef4dd0a9e8c4eb39945e10faf78
SHA256

74f53540e84983f13274e5b0e9f9f73f9a4033306d6829154bfb21842cf38bb8
SHA512

21e2a2c2baa661e8dff9ac29593bd893c9d258d9bc2e25b13bcb4832988d278092769992ee87088e657ff46e69f8b5c66d540ca78146e364289b2a404015c20a
SSDEEP

12288:+okuq4tpQff9j7nTJKXwGlB+ANyjaBDKRnxhXmoy0L6sj+xNOMvblcTE4TzgZU9:+bCDmfZ7nTRGWA2w10zqiqblcqK9

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

giviker.zapto.org:100

127.0.0.1:81

Mutex

DC_MUTEX-V8U94FG

Attributes

InstallPath
Windupdate\winupdate.exe
gencode
g4pACYv8bQ%*
install
true
offline_keylogger
true
persistence
true
reg_key
winupdate

rc4.plain

Targets

- Target
  
  setup.exe
- Size
  
  712KB
- MD5
  
  3d30882dd83cdbcb727fa9fe6f93180a
- SHA1
  
  b4a951c7fe04688c25f91ccb887b8dc22fc759fd
- SHA256
  
  1491e9e9a7feaba77ea5f3114cf10dc279e57f807bc5ab0a7044b8eb8df1377c
- SHA512
  
  d0f2d0d83b5860982debe6118a74cb43d5b1f699deab73c73f79a24c19181bd796ab869d74fc46a8b76e49f0f516fb54b61c10ae5d5c662899f087d035fdda7b
- SSDEEP
  
  12288:/kfaC8uq4tpQxf91tnVhKLw8lx+AByjQBDKRXxhXQoy0LEsj+xNcMvbTcvE4Tzgu:J/CD6fntnVX8yASqx0Fq4qbTcef2
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan