darkcomet | 58d1d43c864ff4a3926e02151ec48a9038586394ad3e3bb9193dc26e35718487 | Triage

Submit
Reports

Overview

overview

Static

static

176ce8ced7...18.exe

windows7-x64

176ce8ced7...18.exe

windows10-2004-x64

Sharing

General

Target

176ce8ced727581cc9f115c5aa55edea_JaffaCakes118
Size

649KB
Sample

240627-zbnxha1hlj
MD5

176ce8ced727581cc9f115c5aa55edea
SHA1

5f927c97f132d52defe29a7b8c54603187570d1c
SHA256

58d1d43c864ff4a3926e02151ec48a9038586394ad3e3bb9193dc26e35718487
SHA512

e0b3901ae184dfda7ebfa8903d2daa3076d96310d28407adfd2c8932b9c872e6e486c12daefe1e1d5568437d54198bcf13c8b7dd650d156c99cd1cc7547cc96b
SSDEEP

12288:Nk0QNlxOnizg37k4LUSd0rv5WvYW5HMzLXj9pqQd7cqESAYi991fA/aV7:+0QpGih4bd0rv5+l5szLXj917cqPu91L

Score

10^/10

darkcomet s3rv3r-2 persistence rat trojan

Static task

static1

s3rv3r-2 darkcomet

2 signatures

Behavioral task

behavioral1

Sample

176ce8ced727581cc9f115c5aa55edea_JaffaCakes118.exe

Resource

win7-20240611-en

darkcomet s3rv3r-2 persistence rat trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

176ce8ced727581cc9f115c5aa55edea_JaffaCakes118.exe

Resource

win10v2004-20240508-en

darkcomet s3rv3r-2 persistence rat trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

s3rv3r-2

C2

tengxunsafeupdate.servecounterstrike.com:82

Mutex

DCMIN_MUTEX-2NZCBWP

Attributes

InstallPath
WinDefender.exe
gencode
2mzxGWP6uod7
install
true
offline_keylogger
true
persistence
false
reg_key
WindowsDefender

Targets

- Target
  
  176ce8ced727581cc9f115c5aa55edea_JaffaCakes118
- Size
  
  649KB
- MD5
  
  176ce8ced727581cc9f115c5aa55edea
- SHA1
  
  5f927c97f132d52defe29a7b8c54603187570d1c
- SHA256
  
  58d1d43c864ff4a3926e02151ec48a9038586394ad3e3bb9193dc26e35718487
- SHA512
  
  e0b3901ae184dfda7ebfa8903d2daa3076d96310d28407adfd2c8932b9c872e6e486c12daefe1e1d5568437d54198bcf13c8b7dd650d156c99cd1cc7547cc96b
- SSDEEP
  
  12288:Nk0QNlxOnizg37k4LUSd0rv5WvYW5HMzLXj9pqQd7cqESAYi991fA/aV7:+0QpGih4bd0rv5+l5szLXj917cqPu91L
Score

10^/10

darkcomet s3rv3r-2 persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

s3rv3r-2darkcomet

behavioral1

darkcomets3rv3r-2persistencerattrojan

behavioral2

darkcomets3rv3r-2persistencerattrojan

© 2018-2024

Terms | Privacy