darkcomet | 87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6

General

Target

Payment 381.exe
Size

3.1MB
MD5

3602f8e02342949364e8669e0c88f686
SHA1

8b2f47300d6fecd4d5fcef477b7cbd63cf6ef8c5
SHA256

87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6
SHA512

c4368cf6fc0e76442f9e8ff812d4dea125ff61eee360085ccd870d8e11c57dec8d1c92cd310cfee58990f220236e06561424c48e84e743140923f7a15bca8890

Score

10^/10

darkcomet february 2021 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

FEBruary 2021

C2

bonding79.ddns.net:3316

goodgt79.ddns.net:3316

whatis79.ddns.net:3316

smath79.ddns.net:3316

jacknop79.ddns.net:3316

chrisle79.ddns.net:3316

Mutex

DC_MUTEX-ZKP4D0B

Attributes

gencode
wb6TW2qCEdyf
install
false
offline_keylogger
true
password
Password20$
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Payment 381.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\BlVOMYes18rDEfDp\\IBGNJl8agV4P.exe\",explorer.exe"	Payment 381.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment 381.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Payment 381.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Payment 381.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Payment 381.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine Payment 381.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment 381.exe

description pid process target process

PID 4692 set thread context of 3096 4692 Payment 381.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Payment 381.exe

pid process

4692 Payment 381.exe
4692 Payment 381.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	Payment 381.exe

description	pid	process	target process
PID 4692 set thread context of 3096	4692	Payment 381.exe	vbc.exe

pid	process
4692	Payment 381.exe
4692	Payment 381.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

Payment 381.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4692	Payment 381.exe
Token: SeDebugPrivilege	4692	Payment 381.exe
Token: SeIncreaseQuotaPrivilege	3096	vbc.exe
Token: SeSecurityPrivilege	3096	vbc.exe
Token: SeTakeOwnershipPrivilege	3096	vbc.exe
Token: SeLoadDriverPrivilege	3096	vbc.exe
Token: SeSystemProfilePrivilege	3096	vbc.exe
Token: SeSystemtimePrivilege	3096	vbc.exe
Token: SeProfSingleProcessPrivilege	3096	vbc.exe
Token: SeIncBasePriorityPrivilege	3096	vbc.exe
Token: SeCreatePagefilePrivilege	3096	vbc.exe
Token: SeBackupPrivilege	3096	vbc.exe
Token: SeRestorePrivilege	3096	vbc.exe
Token: SeShutdownPrivilege	3096	vbc.exe
Token: SeDebugPrivilege	3096	vbc.exe
Token: SeSystemEnvironmentPrivilege	3096	vbc.exe
Token: SeChangeNotifyPrivilege	3096	vbc.exe
Token: SeRemoteShutdownPrivilege	3096	vbc.exe
Token: SeUndockPrivilege	3096	vbc.exe
Token: SeManageVolumePrivilege	3096	vbc.exe
Token: SeImpersonatePrivilege	3096	vbc.exe
Token: SeCreateGlobalPrivilege	3096	vbc.exe
Token: 33	3096	vbc.exe
Token: 34	3096	vbc.exe
Token: 35	3096	vbc.exe
Token: 36	3096	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

3096 vbc.exe

pid	process
3096	vbc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Payment 381.exe

description	pid	process	target process
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe
PID 4692 wrote to memory of 3096	4692	Payment 381.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Payment 381.exe
"C:\Users\Admin\AppData\Local\Temp\Payment 381.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Scripting

1

T1064

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3096-5-0x000000000048F888-mapping.dmp

Download
memory/3096-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3096-7-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4692-2-0x00000000008E2000-0x0000000000978000-memory.dmp

Filesize
600KB

Download
memory/4692-3-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads