Malware Analysis Report

2025-08-10 21:16

Sample ID 221011-g7vqtaachl
Target e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180
SHA256 e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180
Tags
darkcomet nieuw rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180

Threat Level: Known bad

The file e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180 was found to be: Known bad.

Malicious Activity Summary

darkcomet nieuw rat trojan upx

Darkcomet

UPX packed file

Checks computer location settings

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 06:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 06:27

Reported

2022-10-11 08:06

Platform

win7-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe"

Signatures

Darkcomet

trojan rat darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1244 set thread context of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\SysWOW64\WScript.exe
PID 1244 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\SysWOW64\WScript.exe
PID 1244 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\SysWOW64\WScript.exe
PID 1244 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe

"C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UyRjQ.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aqo.no-ip.info udp

Files

memory/1244-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

memory/1244-55-0x0000000074100000-0x00000000746AB000-memory.dmp

memory/1244-56-0x0000000000AC5000-0x0000000000AD6000-memory.dmp

memory/872-57-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/872-58-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/872-60-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/872-61-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/872-62-0x00000000004B8BD0-mapping.dmp

memory/872-64-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/872-67-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/468-66-0x0000000000000000-mapping.dmp

memory/872-68-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1244-70-0x0000000000AC5000-0x0000000000AD6000-memory.dmp

memory/1244-69-0x0000000074100000-0x00000000746AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UyRjQ.vbs

MD5 eff7b7b249d68b6b5e35820a3dba3879
SHA1 ed0395da8a62572aba32740f4d09899eaca22eb0
SHA256 82af7867bc976ee9af0107ccc5d20333b315ba43d6986c4b10eb3ac505492dd8
SHA512 2f13dee7ab491a127a51d2f685091d1a66330df2e9daf874bc42ad013738789fa5ed47ef8ba93e8b261c7d3273f2d107acc8e461803a40a001a7201fec97017a

memory/872-73-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/872-74-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/872-75-0x0000000000400000-0x00000000004BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 06:27

Reported

2022-10-11 08:06

Platform

win10v2004-20220901-en

Max time kernel

152s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe"

Signatures

Darkcomet

trojan rat darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4416 set thread context of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4416 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\SysWOW64\WScript.exe
PID 4416 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\SysWOW64\WScript.exe
PID 4416 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe

"C:\Users\Admin\AppData\Local\Temp\e70645506eaf4eb30b2fb137ad33677c6a28ea53f1b7272cc730ec33b0d99180.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UyRjQ.vbs"

Network

Country Destination Domain Proto
US 8.253.183.120:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.253.183.120:80 tcp
US 8.253.183.120:80 tcp
US 8.253.183.120:80 tcp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp
US 8.8.8.8:53 aqo.no-ip.info udp

Files

memory/4416-132-0x0000000074BF0000-0x00000000751A1000-memory.dmp

memory/4364-133-0x0000000000000000-mapping.dmp

memory/4364-134-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4364-135-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4364-137-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4364-138-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4188-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UyRjQ.vbs

MD5 eff7b7b249d68b6b5e35820a3dba3879
SHA1 ed0395da8a62572aba32740f4d09899eaca22eb0
SHA256 82af7867bc976ee9af0107ccc5d20333b315ba43d6986c4b10eb3ac505492dd8
SHA512 2f13dee7ab491a127a51d2f685091d1a66330df2e9daf874bc42ad013738789fa5ed47ef8ba93e8b261c7d3273f2d107acc8e461803a40a001a7201fec97017a

memory/4416-141-0x0000000074BF0000-0x00000000751A1000-memory.dmp

memory/4364-142-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4364-143-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4364-144-0x0000000000400000-0x00000000004BA000-memory.dmp