darkcomet | bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e | Triage

Submit
Reports

Overview

overview

Static

static

18d46ddaa7...18.exe

windows7-x64

18d46ddaa7...18.exe

windows10-2004-x64

Sharing

General

Target

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118
Size

750KB
Sample

240628-ffz1savcnj
MD5

18d46ddaa7b3c6afae42058a273789ce
SHA1

62da1f56cf1792ffc096e56eba14151a274320cc
SHA256

bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
SHA512

ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
SSDEEP

12288:kk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+4:V0QRWoJEfg0oChGdJQbjPbNW5tYeP+GL

Score

10^/10

darkcomet guest16 persistence rat trojan

Static task

static1

guest16 darkcomet

2 signatures

Behavioral task

behavioral1

Sample

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

Resource

win7-20240508-en

darkcomet guest16 persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe

Resource

win10v2004-20240611-en

darkcomet guest16 persistence rat trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

remila.no-ip.biz:1604

Mutex

DC_MUTEX-20J85XY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
NoNpEFiHHBFZ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118
- Size
  
  750KB
- MD5
  
  18d46ddaa7b3c6afae42058a273789ce
- SHA1
  
  62da1f56cf1792ffc096e56eba14151a274320cc
- SHA256
  
  bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
- SHA512
  
  ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
- SSDEEP
  
  12288:kk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+4:V0QRWoJEfg0oChGdJQbjPbNW5tYeP+GL
Score

10^/10

darkcomet guest16 persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16persistencerattrojan

behavioral2

darkcometguest16persistencerattrojan

© 2018-2024

Terms | Privacy