darkcomet | 7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50 | Triage

Submit
Reports

Overview

overview

Static

static

24a695bd98...18.exe

windows7-x64

24a695bd98...18.exe

windows10-2004-x64

Sharing

General

Target

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118
Size

651KB
Sample

240704-e83fyavdkq
MD5

24a695bd98fe12ff40dfea58fa37a87e
SHA1

a6f2d32c7e0dca5cf6f116e4805b093e3c672256
SHA256

7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50
SHA512

0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23
SSDEEP

12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+y:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GX

Score

10^/10

darkcomet guest16 persistence rat trojan

Static task

static1

guest16 darkcomet

2 signatures

Behavioral task

behavioral1

Sample

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

Resource

win7-20240611-en

darkcomet guest16 persistence rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe

Resource

win10v2004-20240611-en

darkcomet guest16 persistence rat trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mnanauk-dz.no-ip.biz:1604

Mutex

DC_MUTEX-EB46CLG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
rpfQbN9b66NT
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118
- Size
  
  651KB
- MD5
  
  24a695bd98fe12ff40dfea58fa37a87e
- SHA1
  
  a6f2d32c7e0dca5cf6f116e4805b093e3c672256
- SHA256
  
  7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50
- SHA512
  
  0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23
- SSDEEP
  
  12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+y:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GX
Score

10^/10

darkcomet guest16 persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16persistencerattrojan

behavioral2

darkcometguest16persistencerattrojan

© 2018-2024

Terms | Privacy