darkcomet | 11c0e397d62858a5a59ffc635eff294ae5bf5aaf5b94f97e48ef86b599e0987e | Triage

Submit
Reports

Overview

overview

Static

static

3

192c731e82...18.exe

windows7-x64

192c731e82...18.exe

windows10-2004-x64

Sharing

General

Target

192c731e822a64cce6dc9a6725d7b651_JaffaCakes118
Size

1.8MB
Sample

240628-hk3zcaweke
MD5

192c731e822a64cce6dc9a6725d7b651
SHA1

288c85400ea2abad7f29cde9f90658e9876d1710
SHA256

11c0e397d62858a5a59ffc635eff294ae5bf5aaf5b94f97e48ef86b599e0987e
SHA512

b6f7925f4cd8b445092a947d89f492744520132abacd9bfc3535e2b406ed797490cebb3315dffd93413bba61e8f333d0429c5c942b0362b85c783e5611980006
SSDEEP

24576:Kb2/DbTeyIuPVJFFDHZWCaIYm1hCcDOmi:f/lDoC1O

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe

Resource

win7-20240611-en

darkcomet guest16 evasion persistence rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

192c731e822a64cce6dc9a6725d7b651_JaffaCakes118.exe

Resource

win10v2004-20240226-en

darkcomet guest16 evasion persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcomet2013.no-ip.biz:1500

192.168.1.71:1500

Mutex

DC_MUTEX-9LQ2QJ5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
30ibXWq2y5dh
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  192c731e822a64cce6dc9a6725d7b651_JaffaCakes118
- Size
  
  1.8MB
- MD5
  
  192c731e822a64cce6dc9a6725d7b651
- SHA1
  
  288c85400ea2abad7f29cde9f90658e9876d1710
- SHA256
  
  11c0e397d62858a5a59ffc635eff294ae5bf5aaf5b94f97e48ef86b599e0987e
- SHA512
  
  b6f7925f4cd8b445092a947d89f492744520132abacd9bfc3535e2b406ed797490cebb3315dffd93413bba61e8f333d0429c5c942b0362b85c783e5611980006
- SSDEEP
  
  24576:Kb2/DbTeyIuPVJFFDHZWCaIYm1hCcDOmi:f/lDoC1O
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan

© 2018-2024

Terms | Privacy