Overview

overview

10

Static

static

10

DARKCOMET ...ty.exe

windows7-x64

1

DARKCOMET ...ty.exe

windows10-2004-x64

1

DARKCOMET ...at.exe

windows7-x64

10

DARKCOMET ...at.exe

windows10-2004-x64

10

DARKCOMET ...er.exe

windows7-x64

1

DARKCOMET ...er.exe

windows10-2004-x64

1

DARKCOMET ...e3.dll

windows7-x64

3

DARKCOMET ...e3.dll

windows10-2004-x64

3

DARKCOMET ...er.dll

windows7-x64

1

DARKCOMET ...er.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2022 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe

  • Size

    12.1MB

  • MD5

    c8c39c4d8cdfa38169be4057a70e04f2

  • SHA1

    ceddeda4a89ad8c0fc1765511ef9da9696803f9f

  • SHA256

    62f21406a307e447db6f0c2d91c626d947544effd6f56800c5e2e1beea18375c

  • SHA512

    ab21a5273e481cce2173ea6ee5d450a28f5ab1411699500f62d2c4e1b35dd5fc825931a0cd8cca9da4e92f5e2e06784e3f14006e1d76b8e197baf02ff22f0a30

Score
10/10
asyncratdarkcometdefaultguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

susiahat24199a.ddns.net:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    JavaCrashHandle.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

sussysdfffdfff343.duckdns.org:1604

Mutex

DC_MUTEX-QH9A6P4

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    YBnxcFaotAui

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    JavaUpdater

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Async RAT payload 5 IoCs
    rat
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe
    "C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE
      "C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1340
    • C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
      "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3512
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:3120
      • C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE
        "C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3428
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"'
            4⤵
            • Creates scheduled task(s)
            PID:2864
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB28C.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:396
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3324
          • C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe
            "C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"
            4⤵
            • Executes dropped EXE
            PID:444
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h
        2⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1220
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        2⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:692

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Modify Existing Service

    2
    T1031

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    6
    T1112

    Disabling Security Tools

    2
    T1089

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE
      Filesize

      11.3MB

      MD5

      d761f3aa64064a706a521ba14d0f8741

      SHA1

      ab7382bcfdf494d0327fccce9c884592bcc1adeb

      SHA256

      21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6

      SHA512

      d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE
      Filesize

      11.3MB

      MD5

      d761f3aa64064a706a521ba14d0f8741

      SHA1

      ab7382bcfdf494d0327fccce9c884592bcc1adeb

      SHA256

      21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6

      SHA512

      d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE
      Filesize

      126KB

      MD5

      3c9ca31b4d07143cc51a965fa8cd7ee8

      SHA1

      f1b83c2ba9955c15d2620b73a42ed92db8b49d49

      SHA256

      605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

      SHA512

      6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE
      Filesize

      126KB

      MD5

      3c9ca31b4d07143cc51a965fa8cd7ee8

      SHA1

      f1b83c2ba9955c15d2620b73a42ed92db8b49d49

      SHA256

      605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

      SHA512

      6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
      Filesize

      658KB

      MD5

      efa6a56bc92b0d9e88d95bdeae626fca

      SHA1

      99a1864c799f9c79ac646c9bdab868ba55fc7029

      SHA256

      d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

      SHA512

      439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE
      Filesize

      658KB

      MD5

      efa6a56bc92b0d9e88d95bdeae626fca

      SHA1

      99a1864c799f9c79ac646c9bdab868ba55fc7029

      SHA256

      d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

      SHA512

      439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpB28C.tmp.bat
      Filesize

      159B

      MD5

      bd183659472d47804fe2639af6d276f3

      SHA1

      f0d13f86933e9d1a46db89d6884245d7f6965ef3

      SHA256

      b7b552a9a6c25761fe1bb544d404895ef6adeea1085b84240c6dffe6a9ceb14a

      SHA512

      5b825154302a6d3efdd3157f8093fc91f5777643c2911bdd81e64a807866524d7b46d858fd97d9220c0c0bc9e9e678949f32872b168e042dfa4efbb30b0e7c43

      Download Submit
    • C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe
      Filesize

      126KB

      MD5

      3c9ca31b4d07143cc51a965fa8cd7ee8

      SHA1

      f1b83c2ba9955c15d2620b73a42ed92db8b49d49

      SHA256

      605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

      SHA512

      6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe
      Filesize

      126KB

      MD5

      3c9ca31b4d07143cc51a965fa8cd7ee8

      SHA1

      f1b83c2ba9955c15d2620b73a42ed92db8b49d49

      SHA256

      605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83

      SHA512

      6fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d

      Download Submit
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      658KB

      MD5

      efa6a56bc92b0d9e88d95bdeae626fca

      SHA1

      99a1864c799f9c79ac646c9bdab868ba55fc7029

      SHA256

      d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

      SHA512

      439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

      Download Submit
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      658KB

      MD5

      efa6a56bc92b0d9e88d95bdeae626fca

      SHA1

      99a1864c799f9c79ac646c9bdab868ba55fc7029

      SHA256

      d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6

      SHA512

      439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0

      Download Submit
    • memory/396-151-0x0000000000000000-mapping.dmp
      Download
    • memory/444-155-0x0000000000000000-mapping.dmp
      Download
    • memory/692-142-0x0000000000000000-mapping.dmp
      Download
    • memory/1220-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1340-130-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-144-0x0000000000000000-mapping.dmp
      Download
    • memory/2152-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2216-140-0x0000000000000000-mapping.dmp
      Download
    • memory/2296-139-0x00000000002F0000-0x0000000000316000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2296-149-0x00000000050B0000-0x000000000514C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2296-148-0x0000000004C40000-0x0000000004CA6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2296-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2864-153-0x0000000000000000-mapping.dmp
      Download
    • memory/3120-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3324-154-0x0000000000000000-mapping.dmp
      Download
    • memory/3428-150-0x0000000000000000-mapping.dmp
      Download
    • memory/3680-141-0x0000000000000000-mapping.dmp
      Download