darkcomet | fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844 | Triage

Submit
Reports

Overview

overview

Static

static

3

21ce0bf3df...18.exe

windows7-x64

21ce0bf3df...18.exe

windows10-2004-x64

Sharing

General

Target

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118
Size

281KB
Sample

240703-k3c7rawaqb
MD5

21ce0bf3df358c7a3d87034d4cba8a73
SHA1

d3cf383529b827668a581a517bab63fd1f5064f6
SHA256

fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844
SHA512

b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a
SSDEEP

6144:2PFhbjbYGBWA72gTXbbqidowX3CJkwWXejkJEwwRlu:KXfbhocLb9owX3CJ3cejkuwG

Score

10^/10

darkcomet guest16 persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

Resource

win7-20240419-en

darkcomet guest16 persistence rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe

Resource

win10v2004-20240508-en

darkcomet guest16 persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

www2q.hopto.org:1604

Mutex

DC_MUTEX-PTGB02B

Attributes

InstallPath
Up\Update.exe
gencode
fFbst8hvUYyb
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Targets

- Target
  
  21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118
- Size
  
  281KB
- MD5
  
  21ce0bf3df358c7a3d87034d4cba8a73
- SHA1
  
  d3cf383529b827668a581a517bab63fd1f5064f6
- SHA256
  
  fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844
- SHA512
  
  b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a
- SSDEEP
  
  6144:2PFhbjbYGBWA72gTXbbqidowX3CJkwWXejkJEwwRlu:KXfbhocLb9owX3CJ3cejkuwG
Score

10^/10

darkcomet guest16 persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometguest16persistencerattrojan

behavioral2

darkcometguest16persistencerattrojan

© 2018-2024

Terms | Privacy