darkcomet | f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166

General

Target

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
Size

954KB
MD5

1989705ebd2e4250af7f90216e0b1ec3
SHA1

07d63a38c3ba1265c18eff3593d208a48c766ff6
SHA256

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166
SHA512

f8c983bd3f6b477fdfdd0ffd2e5c1504083caa5cff498fd2c8c507b91bb1f34c1cfa01264a49bda7c51d8b1ced2d6dab5234a6bad989280c3ca18528f4d4e704
SSDEEP

12288:n1Gsn5jbJn7vuxMnkawkE7ydj4+7VupWhnLMN+vt9StL5wwTsUkLhDUKH/AJ:ssfLuxgiL7ydx7fIN+vS9IUkLVUKH/A

Score

10^/10

darkcomet billy persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

BILLY

C2

withgod.hopper.pw:5666

Mutex

DC_MUTEX-MTS57PW

Attributes

gencode
FQhcDlPXsfbe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aint-botkiller = "C:\\Users\\Admin\\AppData\\Roaming\\XkwpEYEt.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe

description	pid	process	target process
PID 1500 set thread context of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe

pid	process
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exeapplaunch.exe

description	pid	process
Token: SeDebugPrivilege	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
Token: SeIncreaseQuotaPrivilege	1724	applaunch.exe
Token: SeSecurityPrivilege	1724	applaunch.exe
Token: SeTakeOwnershipPrivilege	1724	applaunch.exe
Token: SeLoadDriverPrivilege	1724	applaunch.exe
Token: SeSystemProfilePrivilege	1724	applaunch.exe
Token: SeSystemtimePrivilege	1724	applaunch.exe
Token: SeProfSingleProcessPrivilege	1724	applaunch.exe
Token: SeIncBasePriorityPrivilege	1724	applaunch.exe
Token: SeCreatePagefilePrivilege	1724	applaunch.exe
Token: SeBackupPrivilege	1724	applaunch.exe
Token: SeRestorePrivilege	1724	applaunch.exe
Token: SeShutdownPrivilege	1724	applaunch.exe
Token: SeDebugPrivilege	1724	applaunch.exe
Token: SeSystemEnvironmentPrivilege	1724	applaunch.exe
Token: SeChangeNotifyPrivilege	1724	applaunch.exe
Token: SeRemoteShutdownPrivilege	1724	applaunch.exe
Token: SeUndockPrivilege	1724	applaunch.exe
Token: SeManageVolumePrivilege	1724	applaunch.exe
Token: SeImpersonatePrivilege	1724	applaunch.exe
Token: SeCreateGlobalPrivilege	1724	applaunch.exe
Token: 33	1724	applaunch.exe
Token: 34	1724	applaunch.exe
Token: 35	1724	applaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

applaunch.exe

pid process

1724 applaunch.exe

pid	process
1724	applaunch.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.execsc.execmd.exe

description	pid	process	target process
PID 1500 wrote to memory of 680	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	csc.exe
PID 1500 wrote to memory of 680	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	csc.exe
PID 1500 wrote to memory of 680	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	csc.exe
PID 1500 wrote to memory of 680	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	csc.exe
PID 680 wrote to memory of 296	680	csc.exe	cvtres.exe
PID 680 wrote to memory of 296	680	csc.exe	cvtres.exe
PID 680 wrote to memory of 296	680	csc.exe	cvtres.exe
PID 680 wrote to memory of 296	680	csc.exe	cvtres.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 1724	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1500 wrote to memory of 996	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	cmd.exe
PID 1500 wrote to memory of 996	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	cmd.exe
PID 1500 wrote to memory of 996	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	cmd.exe
PID 1500 wrote to memory of 996	1500	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	cmd.exe
PID 996 wrote to memory of 808	996	cmd.exe	reg.exe
PID 996 wrote to memory of 808	996	cmd.exe	reg.exe
PID 996 wrote to memory of 808	996	cmd.exe	reg.exe
PID 996 wrote to memory of 808	996	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
"C:\Users\Admin\AppData\Local\Temp\f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qbj4wfmc.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC26E3.tmp"
3⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Aint-botkiller" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\XkwpEYEt.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Aint-botkiller" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\XkwpEYEt.exe
3⤵
- Adds Run key to start application
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES26F3.tmp
Filesize
1KB

MD5
06ee99489e7555728f84de05c741fb26

SHA1
f461f66185cc4b70fa44ca6220a9717dde3ee7ae

SHA256
e94d38d6873992b34e60d7568349cbc8b02bba1a6d146aa4fc711325bbe855c0

SHA512
9416ef51d6020ef0e662cfa67ba34a18c04f02e2b7959ba857b65937c37929781b357f644aad40ec2362441e035ad61d8ff7d927c1eadf668906bc58fd8171ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbj4wfmc.dll
Filesize
1.3MB

MD5
42840dbe0a60600dd0f321440989c101

SHA1
4f559910f180c154a143c1bbe018828c7937e6bc

SHA256
2648a726d12c4654ff8ce0502fbd423c0c0fa8e3145d86da5fd097dc8c3aa1df

SHA512
ef126a6880b2f30ce3c2f84a2a6d3db4036d39ad08ce01c025c2fb0a46f26a9609eb5815f241e392bf32aa72255f49fbd6ac6a65660a74ecc0bd750eac43f1fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC26E3.tmp
Filesize
652B

MD5
710ea43addea430e3a040e5a946d63f2

SHA1
fc14f8cfabe9d0e740fee99d2083895de6be23de

SHA256
cb0ca03616598e58e22dff2d606968673ce6a5ec5afc7629271075443819b09b

SHA512
9b2e969bf82aae90c59c9f337c7d1f1df35650253fbf46be4568d11fb8db1c0db949132bd7801138f07c99e8ca9b48a5333909577843f59b980b872ae7359e37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qbj4wfmc.cmdline
Filesize
196B

MD5
da365c78ef0fbed6bceead57741d73b5

SHA1
dba4c261ce688ccd2d11e2eddcb75afce4a44320

SHA256
286fc1a667185ef471c490623a30d90141216d8d630dab96cd69089249e98332

SHA512
df97e4d7c5c04bea25f1a62ef177df86b8fc4ac502a0aed371a1ecc86ceaa7fda8727e9d13c786e946eedb9e1870d06aaea72bd547a09b639284f07afd839361

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmpD4AE.tmp.txt
Filesize
648KB

MD5
43b6e00e59849a715aa70242fd3a1a27

SHA1
51b7b6f9df46e55c8bf0be19ad64fd4b9f6daca7

SHA256
4d3b6444d5836a77a384adf3d4ea012aab10c1a853dae213564a8860e1f8501a

SHA512
65c20f055921c0365787f12d5a48ba8956e604a76b4307535526f98e0b9a9cd297b3e9c6d86224cf88e0b5ff1b2a0e0a75630607b7fe19520c142a2462c6ac04

Download Submit
memory/296-59-0x0000000000000000-mapping.dmp

Download
memory/680-56-0x0000000000000000-mapping.dmp

Download
memory/808-93-0x0000000000000000-mapping.dmp

Download
memory/996-91-0x0000000000000000-mapping.dmp

Download
memory/1500-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/1500-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1500-84-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-88-0x000000000048F888-mapping.dmp

Download
memory/1724-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-86-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-89-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-92-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-95-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-96-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-97-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads