darkcomet | 34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313

General

Target

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
Size

2.8MB
MD5

c633939e77b5cad28435cd6d1992f733
SHA1

beb9eb6895f973e8652f93ec792ce899653e07f2
SHA256

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313
SHA512

a7dda52d2d62c51fd7e4a4e326a159f1ee16789fad0db98742c89003de20c7989b6f1aa37dd318e2e9091a749449b2335799740861019f57358d08b09f958fb3
SSDEEP

49152:3v5eYSm++WEQybtwVgRKwK9Svaj4u05l0Cs/zRHXK4M1RRTM88z04g8crAc+f8:/NSm++WE1dRKpSSj05l0Cs/zRHXK4M1f

Score

10^/10

darkcomet word persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

word

C2

markben390.no-ip.org:1604

Mutex

DCMIN_MUTEX-WG79R6U

Attributes

gencode
QUoBsi7XUpPd
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dcword = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe"	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1800-59-0x0000000000400000-0x0000000000580000-memory.dmp	autoit_exe
behavioral1/memory/1548-66-0x0000000000400000-0x0000000000580000-memory.dmp	autoit_exe
behavioral1/memory/1548-73-0x0000000000400000-0x0000000000580000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

description	pid	process	target process
PID 652 set thread context of 1800	652	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1716 set thread context of 1548	1716	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1548 set thread context of 1584	1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

pid process

1548 34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

pid	process
1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

pid	process
652	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
652	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
1716	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
1716	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1584	vbc.exe
Token: SeSecurityPrivilege	1584	vbc.exe
Token: SeTakeOwnershipPrivilege	1584	vbc.exe
Token: SeLoadDriverPrivilege	1584	vbc.exe
Token: SeSystemProfilePrivilege	1584	vbc.exe
Token: SeSystemtimePrivilege	1584	vbc.exe
Token: SeProfSingleProcessPrivilege	1584	vbc.exe
Token: SeIncBasePriorityPrivilege	1584	vbc.exe
Token: SeCreatePagefilePrivilege	1584	vbc.exe
Token: SeBackupPrivilege	1584	vbc.exe
Token: SeRestorePrivilege	1584	vbc.exe
Token: SeShutdownPrivilege	1584	vbc.exe
Token: SeDebugPrivilege	1584	vbc.exe
Token: SeSystemEnvironmentPrivilege	1584	vbc.exe
Token: SeChangeNotifyPrivilege	1584	vbc.exe
Token: SeRemoteShutdownPrivilege	1584	vbc.exe
Token: SeUndockPrivilege	1584	vbc.exe
Token: SeManageVolumePrivilege	1584	vbc.exe
Token: SeImpersonatePrivilege	1584	vbc.exe
Token: SeCreateGlobalPrivilege	1584	vbc.exe
Token: 33	1584	vbc.exe
Token: 34	1584	vbc.exe
Token: 35	1584	vbc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

pid	process
1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

pid	process
1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1584 vbc.exe

pid	process
1584	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe

C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
"C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
"C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\c" "C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe"
3⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\c" "C:\Users\Admin\AppData\Local\Temp\34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c
Filesize
18KB

MD5
5d1f7483021192a2b59bdb1286a88db4

SHA1
327b7b7fa9a71ba82cbe482429ac4251d4abaea3

SHA256
79cf35a79ebbe69fcb67f11b08a0fbdf2cccbf50a437cb1c4ee67952c97c483e

SHA512
8f7bd64df0b4f2083dd1cca09f27bf2ce6652694f6112ff24a0d26eaf1f58328924202a0611465b9aa62fba063d37b48b1e76f8307f1de3fb61c280974d8acf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
12KB

MD5
31fd40fd1891ede7259c8eaca4debcb9

SHA1
5e79575a985ba6f98c4b876f84b1355de61aed55

SHA256
dc9d156617c01507ebbd09a44a336bd75801ba2ac5ee6240884084e5536b7b01

SHA512
6655a831bdb041dcc8c026ec27abb80494e847b8ffdf813a99955c6dcb144ac5916827f3ac1e8b0012e87e88e8cb311cd3f2905072d7e8fe3eca079507d82b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2
Filesize
658KB

MD5
79be0bededaf7797fea83e7f15ddb002

SHA1
9e9ce8942718d368bca03c2233acd59a21974da7

SHA256
a0ad369ecf9a402c24ff082a0b63c17a820e590f0cb2cfb1a8513e6de196e56d

SHA512
3a896e605c8d96b9b2ebda795c7e4530a8bd39ff0ee29e553d1a859129bffb991ac858ff62c7a58787068359ceb42ce5c293df54d52836beaffeaea7c28e6798

Download Submit
memory/652-55-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/652-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/1548-73-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1548-66-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1548-61-0x0000000000425F74-mapping.dmp

Download
memory/1584-70-0x00000000002DF888-mapping.dmp

Download
memory/1584-67-0x0000000000250000-0x0000000000302000-memory.dmp

Filesize
712KB

Download
memory/1584-69-0x0000000000250000-0x0000000000302000-memory.dmp

Filesize
712KB

Download
memory/1584-71-0x0000000000250000-0x0000000000302000-memory.dmp

Filesize
712KB

Download
memory/1584-74-0x0000000000250000-0x0000000000302000-memory.dmp

Filesize
712KB

Download
memory/1584-75-0x0000000000250000-0x0000000000302000-memory.dmp

Filesize
712KB

Download
memory/1584-76-0x0000000000250000-0x0000000000302000-memory.dmp

Filesize
712KB

Download
memory/1716-58-0x0000000000000000-mapping.dmp

Download
memory/1800-59-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1800-56-0x0000000000425F74-mapping.dmp

Download

description	pid	process	target process
PID 652 wrote to memory of 1800	652	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 652 wrote to memory of 1800	652	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 652 wrote to memory of 1800	652	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 652 wrote to memory of 1800	652	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1800 wrote to memory of 1716	1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1800 wrote to memory of 1716	1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1800 wrote to memory of 1716	1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1800 wrote to memory of 1716	1800	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1716 wrote to memory of 1548	1716	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1716 wrote to memory of 1548	1716	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1716 wrote to memory of 1548	1716	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1716 wrote to memory of 1548	1716	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe
PID 1548 wrote to memory of 1584	1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	vbc.exe
PID 1548 wrote to memory of 1584	1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	vbc.exe
PID 1548 wrote to memory of 1584	1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	vbc.exe
PID 1548 wrote to memory of 1584	1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	vbc.exe
PID 1548 wrote to memory of 1584	1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	vbc.exe
PID 1548 wrote to memory of 1584	1548	34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313.exe	vbc.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads