darkcomet | bd76dfec25932ec66a7a479c7f595eeb5b46d9dbc0a737c569c404cde5f399a4 | Triage

Sharing

General

Target

JaffaCakes118_bea31be31b89909987683c88643b502d
Size

723KB
Sample

250418-srpemsw1az
MD5

bea31be31b89909987683c88643b502d
SHA1

165c1b997918cd504e9f92a28e2c45a0cea55c29
SHA256

bd76dfec25932ec66a7a479c7f595eeb5b46d9dbc0a737c569c404cde5f399a4
SHA512

f408520f56f8a9a871d6e4790290c14abc61fd6c4f16823cc138586ed8c2a42115248ef65dd4d168e7330cf114d81eb66ac30aa4f6becf05871877c2f4e58cb3
SSDEEP

12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJy:Q3nbWmJVJFwSddIXvfhqbiaxvRxq9I

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

molest.bounceme.net:700

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JlZ9il58mTDg
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_bea31be31b89909987683c88643b502d
- Size
  
  723KB
- MD5
  
  bea31be31b89909987683c88643b502d
- SHA1
  
  165c1b997918cd504e9f92a28e2c45a0cea55c29
- SHA256
  
  bd76dfec25932ec66a7a479c7f595eeb5b46d9dbc0a737c569c404cde5f399a4
- SHA512
  
  f408520f56f8a9a871d6e4790290c14abc61fd6c4f16823cc138586ed8c2a42115248ef65dd4d168e7330cf114d81eb66ac30aa4f6becf05871877c2f4e58cb3
- SSDEEP
  
  12288:gFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJy:Q3nbWmJVJFwSddIXvfhqbiaxvRxq9I
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan