darkcomet | 2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681

General

Target

Order Requirement 341.exe
Size

3.1MB
MD5

f0706cd83ed4da6d24a71767ccfd5741
SHA1

d76adb5de515fbcedb4cae93cf77951c33505a1f
SHA256

2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681
SHA512

087dd99254f5a11c2df615c99e161f849d86eb8dcdb4bf242b756c20a369aad1355ef9a2f451f682d2a674a69d25f5c0ba1fdb3642587be2862cb284d17a2b2d

Score

10^/10

darkcomet january 2021 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

JANuary 2021

C2

chrisle79.ddns.net:3317

jacknop79.ddns.net:3317

smath79.ddns.net:3317

whatis79.ddns.net:3317

goodgt79.ddns.net:3317

bonding79.ddns.net:3317

Mutex

DC_MUTEX-X1VW1F7

Attributes

gencode
U35l73tWGu8y
install
false
offline_keylogger
true
password
Password20$
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Order Requirement 341.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\dWZXvMes6eRk2d5b\\CIe1f5SAYb7X.exe\",explorer.exe"	Order Requirement 341.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order Requirement 341.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Order Requirement 341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Order Requirement 341.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Order Requirement 341.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine Order Requirement 341.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order Requirement 341.exe

description pid process target process

PID 1924 set thread context of 584 1924 Order Requirement 341.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Order Requirement 341.exe

pid process

1924 Order Requirement 341.exe
1924 Order Requirement 341.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	Order Requirement 341.exe

description	pid	process	target process
PID 1924 set thread context of 584	1924	Order Requirement 341.exe	vbc.exe

pid	process
1924	Order Requirement 341.exe
1924	Order Requirement 341.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

Order Requirement 341.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1924	Order Requirement 341.exe
Token: SeDebugPrivilege	1924	Order Requirement 341.exe
Token: SeIncreaseQuotaPrivilege	584	vbc.exe
Token: SeSecurityPrivilege	584	vbc.exe
Token: SeTakeOwnershipPrivilege	584	vbc.exe
Token: SeLoadDriverPrivilege	584	vbc.exe
Token: SeSystemProfilePrivilege	584	vbc.exe
Token: SeSystemtimePrivilege	584	vbc.exe
Token: SeProfSingleProcessPrivilege	584	vbc.exe
Token: SeIncBasePriorityPrivilege	584	vbc.exe
Token: SeCreatePagefilePrivilege	584	vbc.exe
Token: SeBackupPrivilege	584	vbc.exe
Token: SeRestorePrivilege	584	vbc.exe
Token: SeShutdownPrivilege	584	vbc.exe
Token: SeDebugPrivilege	584	vbc.exe
Token: SeSystemEnvironmentPrivilege	584	vbc.exe
Token: SeChangeNotifyPrivilege	584	vbc.exe
Token: SeRemoteShutdownPrivilege	584	vbc.exe
Token: SeUndockPrivilege	584	vbc.exe
Token: SeManageVolumePrivilege	584	vbc.exe
Token: SeImpersonatePrivilege	584	vbc.exe
Token: SeCreateGlobalPrivilege	584	vbc.exe
Token: 33	584	vbc.exe
Token: 34	584	vbc.exe
Token: 35	584	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

584 vbc.exe

pid	process
584	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Order Requirement 341.exe

description	pid	process	target process
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe
PID 1924 wrote to memory of 584	1924	Order Requirement 341.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Order Requirement 341.exe
"C:\Users\Admin\AppData\Local\Temp\Order Requirement 341.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Scripting

1

T1064

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-6-0x000000000048F888-mapping.dmp

Download
memory/584-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/584-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/584-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1924-3-0x0000000000DC2000-0x0000000000E52000-memory.dmp

Filesize
576KB

Download
memory/1924-4-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads