darkcomet | 9237ce0207d920ea791e28ee2a71237a461eace4b94908010192b947ba85e669 | Triage

Sharing

General

Target

JaffaCakes118_bda7043725381a27fe907536c92726ab
Size

1.5MB
Sample

250418-mf7h7az1gw
MD5

bda7043725381a27fe907536c92726ab
SHA1

4c70962338448d883669fa0759c9a90328d0e97d
SHA256

9237ce0207d920ea791e28ee2a71237a461eace4b94908010192b947ba85e669
SHA512

70285777a0e32418e697372d1d955e2681aeb04424baeed486d5d85df445cc25b268fa6064683108809ce6839c7f4bf4b81c2240b4d129516b4dc7c2b84d7254
SSDEEP

24576:6zBEwKJqZYpYhmfcBEwKJqlYZ+o1UbfYXfFefTJgNq8XvfLr3oC:W1Z9R1l62fYXterGvfnoC

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

abibenisev.dyndns.org:5678

127.0.0.1:5678

Mutex

DC_MUTEX-31CU435

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
Rr+Xk3vrw5iV
install
true
offline_keylogger
true
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_bda7043725381a27fe907536c92726ab
- Size
  
  1.5MB
- MD5
  
  bda7043725381a27fe907536c92726ab
- SHA1
  
  4c70962338448d883669fa0759c9a90328d0e97d
- SHA256
  
  9237ce0207d920ea791e28ee2a71237a461eace4b94908010192b947ba85e669
- SHA512
  
  70285777a0e32418e697372d1d955e2681aeb04424baeed486d5d85df445cc25b268fa6064683108809ce6839c7f4bf4b81c2240b4d129516b4dc7c2b84d7254
- SSDEEP
  
  24576:6zBEwKJqZYpYhmfcBEwKJqlYZ+o1UbfYXfFefTJgNq8XvfLr3oC:W1Z9R1l62fYXterGvfnoC
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan