darkcomet | 8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d

General

Target

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe
Size

3.6MB
MD5

0cc4b215bf319dfc3a93c784a9e455ec
SHA1

4f39f687c1449665f66081325bebada166772d28
SHA256

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d
SHA512

ed84d3e693c18348fc61a6e0698d095e3efbedb8b99cafc5cd47d938905a276dfaecae4c789ae2a17b2bfc4dc6a4b4b5c0c9e607fe9d16899351724a7309d993

Score

10^/10

darkcomet puffy 001 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Puffy 001

C2

againme666.ddns.net:1604

Mutex

DC_MUTEX-8FFHWUR

Attributes

gencode
iGsZPLQk83py
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\OlYUmI05WEo90cnM\\vD8am5G4Cm2V.exe\",explorer.exe"	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

Processes:

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

description	pid	process	target process
PID 1020 set thread context of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 set thread context of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2696 vlc.exe

pid	process
2696	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

pid	process
1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe
1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2696 vlc.exe

pid	process
2696	vlc.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exeAUDIODG.EXEvlc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe
Token: SeDebugPrivilege	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: 33	2696	vlc.exe
Token: SeIncBasePriorityPrivilege	2696	vlc.exe
Token: SeIncreaseQuotaPrivilege	416	vbc.exe
Token: SeSecurityPrivilege	416	vbc.exe
Token: SeTakeOwnershipPrivilege	416	vbc.exe
Token: SeLoadDriverPrivilege	416	vbc.exe
Token: SeSystemProfilePrivilege	416	vbc.exe
Token: SeSystemtimePrivilege	416	vbc.exe
Token: SeProfSingleProcessPrivilege	416	vbc.exe
Token: SeIncBasePriorityPrivilege	416	vbc.exe
Token: SeCreatePagefilePrivilege	416	vbc.exe
Token: SeBackupPrivilege	416	vbc.exe
Token: SeRestorePrivilege	416	vbc.exe
Token: SeShutdownPrivilege	416	vbc.exe
Token: SeDebugPrivilege	416	vbc.exe
Token: SeSystemEnvironmentPrivilege	416	vbc.exe
Token: SeChangeNotifyPrivilege	416	vbc.exe
Token: SeRemoteShutdownPrivilege	416	vbc.exe
Token: SeUndockPrivilege	416	vbc.exe
Token: SeManageVolumePrivilege	416	vbc.exe
Token: SeImpersonatePrivilege	416	vbc.exe
Token: SeCreateGlobalPrivilege	416	vbc.exe
Token: 33	416	vbc.exe
Token: 34	416	vbc.exe
Token: 35	416	vbc.exe
Token: 36	416	vbc.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

vlc.exe

pid process

2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

vlc.exe

pid process

2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
2696 vlc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

vlc.exevbc.exe

pid process

2696 vlc.exe
2696 vlc.exe
416 vbc.exe

pid	process
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe

pid	process
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe
2696	vlc.exe

pid	process
2696	vlc.exe
2696	vlc.exe
416	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe

description	pid	process	target process
PID 1020 wrote to memory of 2696	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vlc.exe
PID 1020 wrote to memory of 2696	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vlc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe
PID 1020 wrote to memory of 416	1020	8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe
"C:\Users\Admin\AppData\Local\Temp\8b540bf1f0f283d0a074b95422f7c619f7c81a73067d2e1e00e72d923575c51d.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\eaWQE3b8AacUr63S.3gp"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eaWQE3b8AacUr63S.3gp
MD5
0610fb6636f76c56816b58a2a45425d9

SHA1
df269608977d20f5ee9edd5180bfaf188c6ccd3a

SHA256
7b0d241e30bd6b2a18e6089d0f46bf12117356c3528f2b6a45ea4ec7a4fb344a

SHA512
039e6015a858d6915dc10b1c571c86239627b4880b652404897f50435df272147dedad32c663251e8bd702fc1bb99d68f61309e977b24f67db6cbb2237eafbba

Download Submit
memory/416-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/416-7-0x000000000048F888-mapping.dmp

Download
memory/416-8-0x000000000048F888-mapping.dmp

Download
memory/416-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/416-10-0x0000000000701000-0x0000000000702000-memory.dmp

Filesize
4KB

Download
memory/416-11-0x0000000000701000-0x0000000000702000-memory.dmp

Filesize
4KB

Download
memory/416-12-0x0000000000702000-0x0000000000704000-memory.dmp

Filesize
8KB

Download
memory/2696-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads