darkcomet | 018556978f8a8e862bb57db11a55e0be62b424db127b66cd77451fe970b30ee0 | Triage

Submit
Reports

Overview

overview

Static

static

3

16b8315c6d...18.exe

windows7-x64

16b8315c6d...18.exe

windows10-2004-x64

Sharing

General

Target

16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118
Size

300KB
Sample

240627-t5kjaasdml
MD5

16b8315c6de1994bdcbc0faf574a162b
SHA1

38c2018b835dcc8dd6e6c156f7619c8e0acc493d
SHA256

018556978f8a8e862bb57db11a55e0be62b424db127b66cd77451fe970b30ee0
SHA512

85f5c29486979cb3480fbfa9ab302a29463b060b12dc3aa95785037cfdc2b7f917492f8a1f3a7043d80ef09dca38b908b0f4423907f31148b8c554323fdca4f2
SSDEEP

6144:63EriZWNoVdGEu3j1LdH+gYOFtDD02M14rqM:8EWdGn3jzH+ca5M

Score

10^/10

darkcomet user evasion persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe

Resource

win7-20240611-en

darkcomet user evasion persistence rat trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe

Resource

win10v2004-20240611-en

darkcomet user evasion persistence rat trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

User

C2

97.81.46.17:1604

socksproxy1.serveftp.com:1604

Mutex

DC_MUTEX-R0MQYLT

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
SkFtw2Fer8G2
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118
- Size
  
  300KB
- MD5
  
  16b8315c6de1994bdcbc0faf574a162b
- SHA1
  
  38c2018b835dcc8dd6e6c156f7619c8e0acc493d
- SHA256
  
  018556978f8a8e862bb57db11a55e0be62b424db127b66cd77451fe970b30ee0
- SHA512
  
  85f5c29486979cb3480fbfa9ab302a29463b060b12dc3aa95785037cfdc2b7f917492f8a1f3a7043d80ef09dca38b908b0f4423907f31148b8c554323fdca4f2
- SSDEEP
  
  6144:63EriZWNoVdGEu3j1LdH+gYOFtDD02M14rqM:8EWdGn3jzH+ca5M
Score

10^/10

darkcomet user evasion persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometuserevasionpersistencerattrojanupx

behavioral2

darkcometuserevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy