darkcomet | 083e6e89198bd3088d2798d4e22e72e577666cbc16884e464766504c70ef4276 | Triage

Submit
Reports

Overview

overview

Static

static

3

163b14745b...18.exe

windows7-x64

163b14745b...18.exe

windows10-2004-x64

Sharing

General

Target

163b14745b63876196be7dd7e91c1be2_JaffaCakes118
Size

332KB
Sample

240627-q5efgswgpj
MD5

163b14745b63876196be7dd7e91c1be2
SHA1

c7c6940cf4f05ad67b5cb141d98c7c208b2e6885
SHA256

083e6e89198bd3088d2798d4e22e72e577666cbc16884e464766504c70ef4276
SHA512

795cfb77ef725c34aa62757cf6c321cf671c10825d832325c687b96bebbd9ccaf4db90df917d58d0a0d4ab50985dce174dee47836ea62eb916312bce2cfc9da6
SSDEEP

6144:sYLtU7Ixhnhz5qLZWBRyve1+HxhV+baign+kuERMEnBa:7sI3lQK71870baign+kRXnI

Score

10^/10

darkcomet one-dz evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe

Resource

win7-20240508-en

darkcomet one-dz evasion persistence rat trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe

Resource

win10v2004-20240611-en

darkcomet one-dz evasion persistence rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

One-Dz

C2

fucksuck.myftp.org:100

Mutex

DC_MUTEX-BV4T666

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
isDoctiQ3i8k
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  163b14745b63876196be7dd7e91c1be2_JaffaCakes118
- Size
  
  332KB
- MD5
  
  163b14745b63876196be7dd7e91c1be2
- SHA1
  
  c7c6940cf4f05ad67b5cb141d98c7c208b2e6885
- SHA256
  
  083e6e89198bd3088d2798d4e22e72e577666cbc16884e464766504c70ef4276
- SHA512
  
  795cfb77ef725c34aa62757cf6c321cf671c10825d832325c687b96bebbd9ccaf4db90df917d58d0a0d4ab50985dce174dee47836ea62eb916312bce2cfc9da6
- SSDEEP
  
  6144:sYLtU7Ixhnhz5qLZWBRyve1+HxhV+baign+kuERMEnBa:7sI3lQK71870baign+kRXnI
Score

10^/10

darkcomet one-dz evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Disable or Modify System Firewall

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometone-dzevasionpersistencerattrojan

behavioral2

darkcometone-dzevasionpersistencerattrojan

© 2018-2024

Terms | Privacy