darkcomet | 564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa

General

Target

564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe
Size

1.7MB
MD5

a0e4381250de28e795b8b0c3148e5620
SHA1

0bc879670e1d9c0400405d1c3dd1f933689e781b
SHA256

564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa
SHA512

eba0fe53b053674ecd4b4e57aecb52b2d1d973bcb71c6d5e3f4207e7b8730b2a4fc23323e1559c696bdce06c0c365c4110e14c7ac41807fb8b82ec15515e9056
SSDEEP

49152:skwkn9IMHeaS7hi0TdX+PouMOskjALaPCS:HdnVCtdCouwkjA2PC

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

tragicdux.chickenkiller.com:3175

Mutex

DC_MUTEX-L9H93A3

Attributes

gencode
1L4pelzQX7xS
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

sample.exe

pid process

860 sample.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1248 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe

pid process

1812 564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1248	cmd.exe

pid	process
1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\sample.exe"	sample.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\sample.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\sample.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\sample.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sample.exe

description pid process target process

PID 860 set thread context of 592 860 sample.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 860 set thread context of 592	860	sample.exe	vbc.exe

NTFS ADS 3 IoCs

Processes:

sample.exe564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\sample.exe:Zone.Identifier:$DATA	sample.exe
File created	C:\Users\Admin\AppData\Local\Temp\564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe:Zone.Identifier:$DATA	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe
File created	C:\Users\Admin\AppData\Roaming\sample.exe\:Zone.Identifier:$DATA	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1068 PING.EXE

pid	process
1068	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample.exe

pid	process
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe
860	sample.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	592	vbc.exe
Token: SeSecurityPrivilege	592	vbc.exe
Token: SeTakeOwnershipPrivilege	592	vbc.exe
Token: SeLoadDriverPrivilege	592	vbc.exe
Token: SeSystemProfilePrivilege	592	vbc.exe
Token: SeSystemtimePrivilege	592	vbc.exe
Token: SeProfSingleProcessPrivilege	592	vbc.exe
Token: SeIncBasePriorityPrivilege	592	vbc.exe
Token: SeCreatePagefilePrivilege	592	vbc.exe
Token: SeBackupPrivilege	592	vbc.exe
Token: SeRestorePrivilege	592	vbc.exe
Token: SeShutdownPrivilege	592	vbc.exe
Token: SeDebugPrivilege	592	vbc.exe
Token: SeSystemEnvironmentPrivilege	592	vbc.exe
Token: SeChangeNotifyPrivilege	592	vbc.exe
Token: SeRemoteShutdownPrivilege	592	vbc.exe
Token: SeUndockPrivilege	592	vbc.exe
Token: SeManageVolumePrivilege	592	vbc.exe
Token: SeImpersonatePrivilege	592	vbc.exe
Token: SeCreateGlobalPrivilege	592	vbc.exe
Token: 33	592	vbc.exe
Token: 34	592	vbc.exe
Token: 35	592	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

960 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

592 vbc.exe

pid	process
960	DllHost.exe

pid	process
592	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.execmd.exesample.exe

description	pid	process	target process
PID 1812 wrote to memory of 860	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	sample.exe
PID 1812 wrote to memory of 860	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	sample.exe
PID 1812 wrote to memory of 860	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	sample.exe
PID 1812 wrote to memory of 860	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	sample.exe
PID 1812 wrote to memory of 1248	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	cmd.exe
PID 1812 wrote to memory of 1248	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	cmd.exe
PID 1812 wrote to memory of 1248	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	cmd.exe
PID 1812 wrote to memory of 1248	1812	564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe	cmd.exe
PID 1248 wrote to memory of 1068	1248	cmd.exe	PING.EXE
PID 1248 wrote to memory of 1068	1248	cmd.exe	PING.EXE
PID 1248 wrote to memory of 1068	1248	cmd.exe	PING.EXE
PID 1248 wrote to memory of 1068	1248	cmd.exe	PING.EXE
PID 860 wrote to memory of 592	860	sample.exe	vbc.exe
PID 860 wrote to memory of 592	860	sample.exe	vbc.exe
PID 860 wrote to memory of 592	860	sample.exe	vbc.exe
PID 860 wrote to memory of 592	860	sample.exe	vbc.exe
PID 860 wrote to memory of 592	860	sample.exe	vbc.exe
PID 860 wrote to memory of 592	860	sample.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe
"C:\Users\Admin\AppData\Local\Temp\564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\sample.exe
C:\Users\Admin\AppData\Roaming\sample.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Tempscratch.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\PING.EXE
ping -n 0127.0.0.1
3⤵
- Runs ping.exe
PID:1068

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp00fd02bc4fd7d9cd545e70322937394d.jpeg

Filesize
240KB

MD5
b4d6bdbf0fd59f87c616df22e3842ad1

SHA1
47cf210d47658baada3a51a9a71c140a7f8d9114

SHA256
077e07e739046ac21c1bf3285ae5df5e33da04b54a732f031a7e9451f5289dcd

SHA512
4a9a69bc7bdb04f0f1e762b9661f42ff0170e3770520c3e723092da336142b854d86a14c398d53417ba33fddd58abf8739061e309d514853384ff42eeb3c2538

Download Submit
C:\Users\Admin\AppData\Local\Temp00fd02bc4fd7d9cd545e70322937394d.jpeg

Filesize
240KB

MD5
b4d6bdbf0fd59f87c616df22e3842ad1

SHA1
47cf210d47658baada3a51a9a71c140a7f8d9114

SHA256
077e07e739046ac21c1bf3285ae5df5e33da04b54a732f031a7e9451f5289dcd

SHA512
4a9a69bc7bdb04f0f1e762b9661f42ff0170e3770520c3e723092da336142b854d86a14c398d53417ba33fddd58abf8739061e309d514853384ff42eeb3c2538

Download Submit
C:\Users\Admin\AppData\Local\Temp\564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa.exe

Filesize
1.7MB

MD5
a0e4381250de28e795b8b0c3148e5620

SHA1
0bc879670e1d9c0400405d1c3dd1f933689e781b

SHA256
564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa

SHA512
eba0fe53b053674ecd4b4e57aecb52b2d1d973bcb71c6d5e3f4207e7b8730b2a4fc23323e1559c696bdce06c0c365c4110e14c7ac41807fb8b82ec15515e9056

Download Submit
C:\Users\Admin\AppData\Local\Temp\im4VcwVwISiRReUMO1Z7x5F3l

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Tempscratch.bat

Filesize
322B

MD5
af53e4e73732c940bf4fa9a7bacff726

SHA1
506d360c41333cfc5d2731d1ebaf6c529fcf1958

SHA256
b2ab8d923e6fb330260fbf4c05c918bc3eb7b14cc0b569f202eaea790f8a8be3

SHA512
e652256e3192a7c34da758ac8d5c2853b80085225a3fba3c16814d7446efcd78b618d532ee334411c5d25138597759b51feafc43177eae97618e8d8d9dd522c4

Download Submit
C:\Users\Admin\AppData\Roaming\sample.exe

Filesize
1.7MB

MD5
a0e4381250de28e795b8b0c3148e5620

SHA1
0bc879670e1d9c0400405d1c3dd1f933689e781b

SHA256
564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa

SHA512
eba0fe53b053674ecd4b4e57aecb52b2d1d973bcb71c6d5e3f4207e7b8730b2a4fc23323e1559c696bdce06c0c365c4110e14c7ac41807fb8b82ec15515e9056

Download Submit
C:\Users\Admin\AppData\Roaming\sample.exe

Filesize
1.7MB

MD5
a0e4381250de28e795b8b0c3148e5620

SHA1
0bc879670e1d9c0400405d1c3dd1f933689e781b

SHA256
564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa

SHA512
eba0fe53b053674ecd4b4e57aecb52b2d1d973bcb71c6d5e3f4207e7b8730b2a4fc23323e1559c696bdce06c0c365c4110e14c7ac41807fb8b82ec15515e9056

Download Submit
\Users\Admin\AppData\Roaming\sample.exe

Filesize
1.7MB

MD5
a0e4381250de28e795b8b0c3148e5620

SHA1
0bc879670e1d9c0400405d1c3dd1f933689e781b

SHA256
564390eb14d5fb93e012db3ef3933c32e9fe4eeec170d036e1d34345d65594fa

SHA512
eba0fe53b053674ecd4b4e57aecb52b2d1d973bcb71c6d5e3f4207e7b8730b2a4fc23323e1559c696bdce06c0c365c4110e14c7ac41807fb8b82ec15515e9056

Download Submit
memory/592-69-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/592-67-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/592-70-0x000000000010F888-mapping.dmp

Download
memory/592-71-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/592-73-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/592-74-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/592-76-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/860-57-0x0000000000000000-mapping.dmp

Download
memory/1068-65-0x0000000000000000-mapping.dmp

Download
memory/1248-60-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads