Overview

overview

10

Static

static

URLScan

urlscan

https://bit.ly/34b1I...

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-05-2021 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://bit.ly/34b1IGn

Score
10/10
darkcometmay 2021evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

May 2021

C2

bonding79.ddns.net:3316

goodgt79.ddns.net:3316

whatis79.ddns.net:3316

smath79.ddns.net:3316

jacknop79.ddns.net:3316

chrisle79.ddns.net:3316
Mutex

DC_MUTEX-PPMNGQA

Attributes
  • gencode

    AUQYBsRj2TWk

  • install

    false

  • offline_keylogger

    true

  • password

    Password20$

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/34b1IGn
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1816
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3696
    • C:\Users\Admin\AppData\Local\Temp\Temp1_Purchase_Order_781.zip\Purchase Order 781.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_Purchase_Order_781.zip\Purchase Order 781.exe"
      1⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3328

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      ec3d35056ed319ebf029273ad7b05ec0

      SHA1

      d17853eb8dea282d84488c41ee79235d4de17e4c

      SHA256

      1cc39ee9114987433d0e92ff39c7972245eaa0b8d2378bce66b0567dbf2e53eb

      SHA512

      ad21c9130a9b77b05366cc52d6c6008aae2e05bd3f52e31104ba777fd302467101c29ffda94d26f28b808aa585606f2e0d6c39bce9903d894f812900655c35f7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      d1a9c3e131945d8f541f9578cf91dc7e

      SHA1

      93288e87dcf156fe55478a832637e572d209a442

      SHA256

      f1c585aba7454ec1d49f583788a1b88e76d0e44fbcec2818e3738d33a832148d

      SHA512

      10bbcb973a7bc103f418dc818c50f037d1088cf5455e53ad482958dceb8003567bd5921e208630f4276e42f3313c03b94a64c22822bc77404275db18aac2d762

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\Purchase_Order_781.zip.ifshtii.partial
      MD5

      244bd3926f2173d3afc03dc30911bd0f

      SHA1

      906ed2a55f4dcae21221e9b99e0b8ba321176d94

      SHA256

      e1239f00d096ca7c112ae7e0c4f6a2d622b5d59b4702c80fc62b25c83c733473

      SHA512

      35c1fa37f45a4d3873a9f288f84761d03bd65d98d01a6c3a6f816cc981f77373f8045c8508b8978b04aae93c6cf2b983fa1bc2b0b7a8cc53f74c8c5a664fddd6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\008Z630D.cookie
      MD5

      c736ae0c49719abc35c82d3ef84efe80

      SHA1

      fa52d53fe0d8c211bd689d3d94d8a09bb3097844

      SHA256

      8eb4a3e5b21feb5e69d776b499e6796707650fbf4dc6883e40fb2a106300211b

      SHA512

      0941c29bdd588e9008546f520f35fd633f848f8f15daaf15c6579f26c957cc7fde6978b43a918e80a430350d6b5e4523529e318ea5eb4c1955af365ec149bdd9

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AZVKYRIG.cookie
      MD5

      ab4334a439b097a58025443cc4e3b002

      SHA1

      f361320f842cf1a8c770c981c2489410d2eb5953

      SHA256

      ea91f36fa4f42c3889f67d36ed4d4e8d741cb46f21701f391c6c4dbc1f76dfc8

      SHA512

      8f681416ff180e0043871cea0752d2b65a31a6dda82cfd60a6d990932b5dc881d49005b8feacc90a987e8b3a257f9599e5ebceeec3f8b8bd5ee881c6b693802d

      Download Submit
    • memory/1816-115-0x0000000000000000-mapping.dmp
      Download
    • memory/1968-114-0x00007FFC1B3D0000-0x00007FFC1B43B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/2292-118-0x00000000050E0000-0x00000000050E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2292-117-0x0000000000D90000-0x00000000011F0000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/3328-121-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3328-123-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3328-124-0x0000000002230000-0x0000000002231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3328-122-0x000000000048F888-mapping.dmp
      Download