darkcomet | 458ea5c258bf60dc9bc05e215e1dfbe360ebdd5e7d1e4cacb8afb2d459d8c589

General

Target

IMG_WA-D0014/IMG_WA-D0014.exe
Size

1.5MB
MD5

f43802841b34045780b19c44f10652aa
SHA1

8395ff25a349459512b81c26eddff2812c486595
SHA256

e771b871b56ae87849d567a693ac3c01c5f57b737dc74435289425869ae17657
SHA512

c50e5a8c76b27bb3bb50761c7f0b9c8b0535bc604a8f687189048bb69cb903d896eb2931ab585d77c1493daec83c8369fc7f1d3ea5c7d5549fb28da2d9fb8eab

Score

10^/10

darkcomet oct 29 19 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Oct 29 19

C2

bio4kobs.geekgalaxy.com:1609

Mutex

DC_MUTEX-QUS1L2L

Attributes

gencode
sgZH9wbBsjsB
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

doctbqr.exe

pid process

908 doctbqr.exe

pid	process
908	doctbqr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/588-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/588-68-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/588-70-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/588-71-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/588-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/588-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

IMG_WA-D0014.exe

pid process

1932 IMG_WA-D0014.exe
1932 IMG_WA-D0014.exe
1932 IMG_WA-D0014.exe
1932 IMG_WA-D0014.exe
1932 IMG_WA-D0014.exe

pid	process
1932	IMG_WA-D0014.exe
1932	IMG_WA-D0014.exe
1932	IMG_WA-D0014.exe
1932	IMG_WA-D0014.exe
1932	IMG_WA-D0014.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

doctbqr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\doct = "C:\\Users\\Admin\\AppData\\Local\\doct\\doctos.vbs"	doctbqr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

doctbqr.exe

description pid process target process

PID 908 set thread context of 588 908 doctbqr.exe TapiUnattend.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

doctbqr.exe

pid process

908 doctbqr.exe
908 doctbqr.exe

description	pid	process	target process
PID 908 set thread context of 588	908	doctbqr.exe	TapiUnattend.exe

pid	process
908	doctbqr.exe
908	doctbqr.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

TapiUnattend.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	588	TapiUnattend.exe
Token: SeSecurityPrivilege	588	TapiUnattend.exe
Token: SeTakeOwnershipPrivilege	588	TapiUnattend.exe
Token: SeLoadDriverPrivilege	588	TapiUnattend.exe
Token: SeSystemProfilePrivilege	588	TapiUnattend.exe
Token: SeSystemtimePrivilege	588	TapiUnattend.exe
Token: SeProfSingleProcessPrivilege	588	TapiUnattend.exe
Token: SeIncBasePriorityPrivilege	588	TapiUnattend.exe
Token: SeCreatePagefilePrivilege	588	TapiUnattend.exe
Token: SeBackupPrivilege	588	TapiUnattend.exe
Token: SeRestorePrivilege	588	TapiUnattend.exe
Token: SeShutdownPrivilege	588	TapiUnattend.exe
Token: SeDebugPrivilege	588	TapiUnattend.exe
Token: SeSystemEnvironmentPrivilege	588	TapiUnattend.exe
Token: SeChangeNotifyPrivilege	588	TapiUnattend.exe
Token: SeRemoteShutdownPrivilege	588	TapiUnattend.exe
Token: SeUndockPrivilege	588	TapiUnattend.exe
Token: SeManageVolumePrivilege	588	TapiUnattend.exe
Token: SeImpersonatePrivilege	588	TapiUnattend.exe
Token: SeCreateGlobalPrivilege	588	TapiUnattend.exe
Token: 33	588	TapiUnattend.exe
Token: 34	588	TapiUnattend.exe
Token: 35	588	TapiUnattend.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TapiUnattend.exe

pid process

588 TapiUnattend.exe

pid	process
588	TapiUnattend.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

IMG_WA-D0014.exedoctbqr.exe

description	pid	process	target process
PID 1932 wrote to memory of 908	1932	IMG_WA-D0014.exe	doctbqr.exe
PID 1932 wrote to memory of 908	1932	IMG_WA-D0014.exe	doctbqr.exe
PID 1932 wrote to memory of 908	1932	IMG_WA-D0014.exe	doctbqr.exe
PID 1932 wrote to memory of 908	1932	IMG_WA-D0014.exe	doctbqr.exe
PID 908 wrote to memory of 588	908	doctbqr.exe	TapiUnattend.exe
PID 908 wrote to memory of 588	908	doctbqr.exe	TapiUnattend.exe
PID 908 wrote to memory of 588	908	doctbqr.exe	TapiUnattend.exe
PID 908 wrote to memory of 588	908	doctbqr.exe	TapiUnattend.exe
PID 908 wrote to memory of 588	908	doctbqr.exe	TapiUnattend.exe
PID 908 wrote to memory of 588	908	doctbqr.exe	TapiUnattend.exe

C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\doctbqr.exe
"C:\Users\Admin\AppData\Roaming\doctbqr.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\doct.bmp

Filesize
1.1MB

MD5
3e9f0eb34cd0aa86faadc2c19b1aadc8

SHA1
f755c8b082f46c97e9c377e93bacae0a3f5521c1

SHA256
5fb71c17a71dcc2dedc9d45c56f5621e9fd5773f8f7b2409fc83a0edf3df8dfa

SHA512
b6b337cdbf0a2d5f57edae8781a1745e9784f667cc3922bf576b467c4a5817b41b4aafd5322a0808b377a6407d851998bf84b69384f52266f286be4066c63f85

Download Submit
C:\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
C:\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
memory/588-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/588-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/588-67-0x00000000004B56A0-mapping.dmp

Download
memory/588-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/588-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/588-71-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/588-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/588-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/908-60-0x0000000000000000-mapping.dmp

Download
memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads