darkcomet | 31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f

General

Target

31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe
Size

1.4MB
MD5

6c4fd4892b2f680e75cd06a2b7c8a345
SHA1

9b7b0ae22cfd2d85aa27a43d65570c09a55dc6ff
SHA256

31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f
SHA512

51705859290dd981ce533cd7c21895e18b0ebef7995e0c3a8edb331e5350796d0c95d187cf50085e88e9f31d323f2582747b13e7793450b266c6cd1600a5a381
SSDEEP

24576:ZhqU/8O55m4/bK4XuNGLBGAxBFuRm5zxlpUey0gf58Cnu/+KI5fwHko1tK/FIIbM:ZhqU/T55m4+Lams5ILDskorKWN

Score

10^/10

darkcomet hf persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

cyber-dos.no-ip.org:1337

Mutex

DC_MUTEX-12KVRY9

Attributes

gencode
THybCZwopUiG
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe"	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe

description	ioc	process
File opened for modification	C:\autorun.inf	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe
File created	D:\autorun.inf	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe
File opened for modification	D:\autorun.inf	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe
File created	C:\autorun.inf	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe

description	pid	process	target process
PID 4248 set thread context of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1948	vbc.exe
Token: SeSecurityPrivilege	1948	vbc.exe
Token: SeTakeOwnershipPrivilege	1948	vbc.exe
Token: SeLoadDriverPrivilege	1948	vbc.exe
Token: SeSystemProfilePrivilege	1948	vbc.exe
Token: SeSystemtimePrivilege	1948	vbc.exe
Token: SeProfSingleProcessPrivilege	1948	vbc.exe
Token: SeIncBasePriorityPrivilege	1948	vbc.exe
Token: SeCreatePagefilePrivilege	1948	vbc.exe
Token: SeBackupPrivilege	1948	vbc.exe
Token: SeRestorePrivilege	1948	vbc.exe
Token: SeShutdownPrivilege	1948	vbc.exe
Token: SeDebugPrivilege	1948	vbc.exe
Token: SeSystemEnvironmentPrivilege	1948	vbc.exe
Token: SeChangeNotifyPrivilege	1948	vbc.exe
Token: SeRemoteShutdownPrivilege	1948	vbc.exe
Token: SeUndockPrivilege	1948	vbc.exe
Token: SeManageVolumePrivilege	1948	vbc.exe
Token: SeImpersonatePrivilege	1948	vbc.exe
Token: SeCreateGlobalPrivilege	1948	vbc.exe
Token: 33	1948	vbc.exe
Token: 34	1948	vbc.exe
Token: 35	1948	vbc.exe
Token: 36	1948	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1948 vbc.exe

pid	process
1948	vbc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe

description	pid	process	target process
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe
PID 4248 wrote to memory of 1948	4248	31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe
"C:\Users\Admin\AppData\Local\Temp\31fbb03d31e7795ab6fa95dd2045876f516e4f6043c2d5209b56e2bd8483825f.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-133-0x0000000000000000-mapping.dmp

Download
memory/1948-134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1948-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1948-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1948-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1948-139-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4248-132-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/4248-138-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads