darkcomet | e3532fb1c9e0c23e6e0b556425bceb08953c97883aacfb347789a3d8dd80099d

General

Target

Order Requirement 893.exe
Size

3.1MB
MD5

94d0f17a6ccc191912e09efdbe611f5e
SHA1

347d4231e88ac6fe82a8e701d0b16cfac652c92c
SHA256

e3532fb1c9e0c23e6e0b556425bceb08953c97883aacfb347789a3d8dd80099d
SHA512

7c322675175a6f3d50ce72208e6275e3853ea25de8beac1ff81ed8638fc7a305cb50f967cb194c146ac417c78593b9a1f1c18d01fd90fcc2ce3d5a2bbb31c76d

Score

10^/10

darkcomet april 2021 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

April 2021

C2

bonding79.ddns.net:3316

goodgt79.ddns.net:3316

whatis79.ddns.net:3316

smath79.ddns.net:3316

jacknop79.ddns.net:3316

chrisle79.ddns.net:3316

Mutex

DC_MUTEX-L1TFBNC

Attributes

gencode
PvcfTTVpBSKd
install
false
offline_keylogger
true
password
Password20$
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Order Requirement 893.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\ye5MuI5NRbzmJH25\\tNmo0kk46PJh.exe\",explorer.exe"	Order Requirement 893.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order Requirement 893.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Order Requirement 893.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Order Requirement 893.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Order Requirement 893.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine Order Requirement 893.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order Requirement 893.exe

description pid process target process

PID 1240 set thread context of 1004 1240 Order Requirement 893.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Order Requirement 893.exe

pid process

1240 Order Requirement 893.exe
1240 Order Requirement 893.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine	Order Requirement 893.exe

description	pid	process	target process
PID 1240 set thread context of 1004	1240	Order Requirement 893.exe	vbc.exe

pid	process
1240	Order Requirement 893.exe
1240	Order Requirement 893.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

Order Requirement 893.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1240	Order Requirement 893.exe
Token: SeDebugPrivilege	1240	Order Requirement 893.exe
Token: SeIncreaseQuotaPrivilege	1004	vbc.exe
Token: SeSecurityPrivilege	1004	vbc.exe
Token: SeTakeOwnershipPrivilege	1004	vbc.exe
Token: SeLoadDriverPrivilege	1004	vbc.exe
Token: SeSystemProfilePrivilege	1004	vbc.exe
Token: SeSystemtimePrivilege	1004	vbc.exe
Token: SeProfSingleProcessPrivilege	1004	vbc.exe
Token: SeIncBasePriorityPrivilege	1004	vbc.exe
Token: SeCreatePagefilePrivilege	1004	vbc.exe
Token: SeBackupPrivilege	1004	vbc.exe
Token: SeRestorePrivilege	1004	vbc.exe
Token: SeShutdownPrivilege	1004	vbc.exe
Token: SeDebugPrivilege	1004	vbc.exe
Token: SeSystemEnvironmentPrivilege	1004	vbc.exe
Token: SeChangeNotifyPrivilege	1004	vbc.exe
Token: SeRemoteShutdownPrivilege	1004	vbc.exe
Token: SeUndockPrivilege	1004	vbc.exe
Token: SeManageVolumePrivilege	1004	vbc.exe
Token: SeImpersonatePrivilege	1004	vbc.exe
Token: SeCreateGlobalPrivilege	1004	vbc.exe
Token: 33	1004	vbc.exe
Token: 34	1004	vbc.exe
Token: 35	1004	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1004 vbc.exe

pid	process
1004	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Order Requirement 893.exe

description	pid	process	target process
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe
PID 1240 wrote to memory of 1004	1240	Order Requirement 893.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Order Requirement 893.exe
"C:\Users\Admin\AppData\Local\Temp\Order Requirement 893.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Scripting

1

T1064

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1004-63-0x000000000048F888-mapping.dmp

Download
memory/1004-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1004-66-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1240-59-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1240-60-0x0000000000A40000-0x0000000000D54000-memory.dmp

Filesize
3.1MB

Download
memory/1240-61-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads