darkcomet | f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166

General

Target

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
Size

954KB
MD5

1989705ebd2e4250af7f90216e0b1ec3
SHA1

07d63a38c3ba1265c18eff3593d208a48c766ff6
SHA256

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166
SHA512

f8c983bd3f6b477fdfdd0ffd2e5c1504083caa5cff498fd2c8c507b91bb1f34c1cfa01264a49bda7c51d8b1ced2d6dab5234a6bad989280c3ca18528f4d4e704
SSDEEP

12288:n1Gsn5jbJn7vuxMnkawkE7ydj4+7VupWhnLMN+vt9StL5wwTsUkLhDUKH/AJ:ssfLuxgiL7ydx7fIN+vS9IUkLVUKH/A

Score

10^/10

darkcomet billy persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

BILLY

C2

withgod.hopper.pw:5666

Mutex

DC_MUTEX-MTS57PW

Attributes

gencode
FQhcDlPXsfbe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aint-botkiller = "C:\\Users\\Admin\\AppData\\Roaming\\HJUutrhd.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe

description	pid	process	target process
PID 1380 set thread context of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe

pid	process
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exeapplaunch.exe

description	pid	process
Token: SeDebugPrivilege	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
Token: SeIncreaseQuotaPrivilege	5008	applaunch.exe
Token: SeSecurityPrivilege	5008	applaunch.exe
Token: SeTakeOwnershipPrivilege	5008	applaunch.exe
Token: SeLoadDriverPrivilege	5008	applaunch.exe
Token: SeSystemProfilePrivilege	5008	applaunch.exe
Token: SeSystemtimePrivilege	5008	applaunch.exe
Token: SeProfSingleProcessPrivilege	5008	applaunch.exe
Token: SeIncBasePriorityPrivilege	5008	applaunch.exe
Token: SeCreatePagefilePrivilege	5008	applaunch.exe
Token: SeBackupPrivilege	5008	applaunch.exe
Token: SeRestorePrivilege	5008	applaunch.exe
Token: SeShutdownPrivilege	5008	applaunch.exe
Token: SeDebugPrivilege	5008	applaunch.exe
Token: SeSystemEnvironmentPrivilege	5008	applaunch.exe
Token: SeChangeNotifyPrivilege	5008	applaunch.exe
Token: SeRemoteShutdownPrivilege	5008	applaunch.exe
Token: SeUndockPrivilege	5008	applaunch.exe
Token: SeManageVolumePrivilege	5008	applaunch.exe
Token: SeImpersonatePrivilege	5008	applaunch.exe
Token: SeCreateGlobalPrivilege	5008	applaunch.exe
Token: 33	5008	applaunch.exe
Token: 34	5008	applaunch.exe
Token: 35	5008	applaunch.exe
Token: 36	5008	applaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

applaunch.exe

pid process

5008 applaunch.exe

pid	process
5008	applaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.execsc.execmd.exe

description	pid	process	target process
PID 1380 wrote to memory of 792	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	csc.exe
PID 1380 wrote to memory of 792	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	csc.exe
PID 1380 wrote to memory of 792	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	csc.exe
PID 792 wrote to memory of 4660	792	csc.exe	cvtres.exe
PID 792 wrote to memory of 4660	792	csc.exe	cvtres.exe
PID 792 wrote to memory of 4660	792	csc.exe	cvtres.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 5008	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	applaunch.exe
PID 1380 wrote to memory of 4828	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	cmd.exe
PID 1380 wrote to memory of 4828	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	cmd.exe
PID 1380 wrote to memory of 4828	1380	f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe	cmd.exe
PID 4828 wrote to memory of 2896	4828	cmd.exe	reg.exe
PID 4828 wrote to memory of 2896	4828	cmd.exe	reg.exe
PID 4828 wrote to memory of 2896	4828	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe
"C:\Users\Admin\AppData\Local\Temp\f53947b5df2c10ef35d22e6fca08f9028fe1ff56a5adac17e6b457af3a347166.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dipazz16.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF33F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF33E.tmp"
3⤵
PID:4660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Aint-botkiller" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HJUutrhd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Aint-botkiller" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HJUutrhd.exe
3⤵
- Adds Run key to start application
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF33F.tmp
Filesize
1KB

MD5
7756c25def240e0f6eca5a85270fa2b4

SHA1
a8616339ce5dceeb5da81fdecbee7eb59c8ffc39

SHA256
b4ff6f5549180944143ceb7a9215c00f0765c7b4e86d15bd55b2bb3814ccda80

SHA512
93539f873ea0989d5b94843b3b84755a00b83d1bca3b630e81f172a8e01283ac5b8cb3c06af101bb3dde29770ab3605434ebf1b82487de9f7cc8d36031092419

Download Submit
C:\Users\Admin\AppData\Local\Temp\dipazz16.dll
Filesize
1.3MB

MD5
e61cc6944d62363b82162c8bec3135e9

SHA1
6f2edad059b4399a1489317518886cb6363290c4

SHA256
05cc38a25c063ae22b21a810758e192c2b71330224cc15b6a866825234555966

SHA512
60b7ef31627344570c75446aba55c0e7c58b69cceb359bd28ab61eb5a7f8f1e243eb60cff189392d077a640f01a08db596fb14e464204b0319ea6d54babbbbd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF33E.tmp
Filesize
652B

MD5
17fe15ae6e1385cb3747b2f64a7a1d08

SHA1
809271dd07721e3c7f0d08428a0522e0ceb12610

SHA256
ad662685a85c99a2b0864c542864be35984f8a051c4857dab299c73b0fd8d3f5

SHA512
5e8a8ebbf02557cc40a9024b889b71c40c503087f67248154aa25ea3ccdc38954b269d03e113f133cc964504a356c11b79e9758142aa5e3a5785a3c9cc9c477e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dipazz16.cmdline
Filesize
196B

MD5
c5a022328fcc6e4e34597a0156c34411

SHA1
1ef11d7addc3e84fb769ea08dd60ca81dde9d2c7

SHA256
480d54d4c3fd66c0c22822ab57bac5bff19a88ed615390d622d905740968889c

SHA512
51a42f3858b69de9edd36a62af137e592de11452d52032cb34537973f8487fb85f07dffd90035d0306f85687e7f9cb67311caf22f930cdf767c5119a4ba900be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmpECA7.tmp.txt
Filesize
648KB

MD5
43b6e00e59849a715aa70242fd3a1a27

SHA1
51b7b6f9df46e55c8bf0be19ad64fd4b9f6daca7

SHA256
4d3b6444d5836a77a384adf3d4ea012aab10c1a853dae213564a8860e1f8501a

SHA512
65c20f055921c0365787f12d5a48ba8956e604a76b4307535526f98e0b9a9cd297b3e9c6d86224cf88e0b5ff1b2a0e0a75630607b7fe19520c142a2462c6ac04

Download Submit
memory/792-133-0x0000000000000000-mapping.dmp

Download
memory/1380-156-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download
memory/1380-132-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download
memory/2896-154-0x0000000000000000-mapping.dmp

Download
memory/4660-136-0x0000000000000000-mapping.dmp

Download
memory/4828-151-0x0000000000000000-mapping.dmp

Download
memory/5008-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-149-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-152-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-153-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-155-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-140-0x0000000000000000-mapping.dmp

Download
memory/5008-157-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads