darkcomet | 754209056906ab5fb4674fd3c8e40983ed049296caee2c84be14b97d890a73c7 | Triage

Submit
Reports

Overview

overview

Static

static

0c52231357...18.exe

windows7-x64

0c52231357...18.exe

windows10-2004-x64

Sharing

General

Target

0c5223135705127340de474101377fe5_JaffaCakes118
Size

421KB
Sample

240621-ryc5hsxgjr
MD5

0c5223135705127340de474101377fe5
SHA1

985e77a2140c0a550969a852f562d5b3a0ac54fb
SHA256

754209056906ab5fb4674fd3c8e40983ed049296caee2c84be14b97d890a73c7
SHA512

19919f2f3bc14eec61169305093af95d45719a80b3bef49310432897fa62bdb9ef5f17495183583e3c7a21c4e15b4e7a3340442f26064768da2ab8c3eaea4319
SSDEEP

6144:PMg79ZIqzIKS6FiBxZJ0w1lSWdWIYhwYS8df0eiHvPiiUQ:PMg7wqli7zLXSVIYhwYS8diii

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

0c5223135705127340de474101377fe5_JaffaCakes118.exe

Resource

win7-20240508-en

darkcomet guest16 persistence rat trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

0c5223135705127340de474101377fe5_JaffaCakes118.exe

Resource

win10v2004-20240611-en

darkcomet guest16 persistence rat trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Extracted

Family

darkcomet

Botnet

Guest16

C2

kaanzy.no-ip.biz:81

Mutex

DC_MUTEX-K4YR9XA

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
xy82A9W0TQCa
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  0c5223135705127340de474101377fe5_JaffaCakes118
- Size
  
  421KB
- MD5
  
  0c5223135705127340de474101377fe5
- SHA1
  
  985e77a2140c0a550969a852f562d5b3a0ac54fb
- SHA256
  
  754209056906ab5fb4674fd3c8e40983ed049296caee2c84be14b97d890a73c7
- SHA512
  
  19919f2f3bc14eec61169305093af95d45719a80b3bef49310432897fa62bdb9ef5f17495183583e3c7a21c4e15b4e7a3340442f26064768da2ab8c3eaea4319
- SSDEEP
  
  6144:PMg79ZIqzIKS6FiBxZJ0w1lSWdWIYhwYS8df0eiHvPiiUQ:PMg7wqli7zLXSVIYhwYS8diii
Score

10^/10

darkcomet guest16 persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometguest16persistencerattrojanupx

behavioral2

darkcometguest16persistencerattrojanupx

© 2018-2024

Terms | Privacy