darkcomet | b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de

General

Target

b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
Size

1.6MB
MD5

fb464794c924adf0e9d448f904bcbc0e
SHA1

23838f0309e313efbf87ceede73c526e7d69725a
SHA256

b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de
SHA512

9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c
SSDEEP

24576:ktb20pkaCqT5TBWgNQ7a+WLqYe39oH8y5Prv6F81MGhuKSdNz56A:NVg5tQ7a+EdH8y5PryFoduxV5

Score

10^/10

darkcomet general persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

General

C2

microsoftcorperation.ddns.net:1337

Mutex

DC_MUTEX-G0M1A4H

Attributes

gencode
gLZapf5KJLR9
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

11723.exe

pid process

1888 11723.exe

pid	process
1888	11723.exe

Loads dropped DLL 4 IoCs

Processes:

b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe

pid	process
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

11723.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	11723.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WerFault = "C:\\Users\\Admin\\AppData\\Roaming\\11723.exe"	11723.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\11723.exe	autoit_exe
\Users\Admin\AppData\Roaming\11723.exe	autoit_exe
\Users\Admin\AppData\Roaming\11723.exe	autoit_exe
\Users\Admin\AppData\Roaming\11723.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\11723.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\11723.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

11723.exe

description pid process target process

PID 1888 set thread context of 1752 1888 11723.exe WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1888 set thread context of 1752	1888	11723.exe	WerFault.exe

NTFS ADS 3 IoCs

Processes:

b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\11723.exe\:Zone.Identifier:$DATA	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\11723.exe:Zone.Identifier:$DATA	11723.exe
File created	C:\Users\Admin\AppData\Local\Temp\b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe:Zone.Identifier:$DATA	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exe

pid	process
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1888	11723.exe
1888	11723.exe
1888	11723.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exe

pid	process
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
1888	11723.exe
1888	11723.exe
1888	11723.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe11723.exe

description	pid	process	target process
PID 1280 wrote to memory of 1888	1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe	11723.exe
PID 1280 wrote to memory of 1888	1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe	11723.exe
PID 1280 wrote to memory of 1888	1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe	11723.exe
PID 1280 wrote to memory of 1888	1280	b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe	11723.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe
PID 1888 wrote to memory of 1752	1888	11723.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe
"C:\Users\Admin\AppData\Local\Temp\b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Roaming\11723.exe
"C:\Users\Admin\AppData\Roaming\11723.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rr
Filesize
658KB

MD5
54225836659df587e8963022b29770ef

SHA1
b1850d7fb99ff5313d0ecd2d1d858d12ea13987b

SHA256
2a3cae68cf9160fbb4b8162d3d5deef8d4c3f34e9b73007d47f520d392a67263

SHA512
0ce718d2bea6a9f193af3c8e4471dc7f8e106acfb0c6a96af676e0829ef96d1ad2a8f0788c2c6407c04f94f962a7111bf43a73da4b2a1443ecab5c6a338c838d

Download Submit
C:\Users\Admin\AppData\Roaming\11723.exe
Filesize
1.6MB

MD5
fb464794c924adf0e9d448f904bcbc0e

SHA1
23838f0309e313efbf87ceede73c526e7d69725a

SHA256
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de

SHA512
9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c

Download Submit
C:\Users\Admin\AppData\Roaming\11723.exe
Filesize
1.6MB

MD5
fb464794c924adf0e9d448f904bcbc0e

SHA1
23838f0309e313efbf87ceede73c526e7d69725a

SHA256
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de

SHA512
9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c

Download Submit
\Users\Admin\AppData\Roaming\11723.exe
Filesize
1.6MB

MD5
fb464794c924adf0e9d448f904bcbc0e

SHA1
23838f0309e313efbf87ceede73c526e7d69725a

SHA256
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de

SHA512
9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c

Download Submit
\Users\Admin\AppData\Roaming\11723.exe
Filesize
1.6MB

MD5
fb464794c924adf0e9d448f904bcbc0e

SHA1
23838f0309e313efbf87ceede73c526e7d69725a

SHA256
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de

SHA512
9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c

Download Submit
\Users\Admin\AppData\Roaming\11723.exe
Filesize
1.6MB

MD5
fb464794c924adf0e9d448f904bcbc0e

SHA1
23838f0309e313efbf87ceede73c526e7d69725a

SHA256
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de

SHA512
9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c

Download Submit
\Users\Admin\AppData\Roaming\11723.exe
Filesize
1.6MB

MD5
fb464794c924adf0e9d448f904bcbc0e

SHA1
23838f0309e313efbf87ceede73c526e7d69725a

SHA256
b06b7ee14bf0c8cf8ac8e69e5304328f1480fade065ce1c8c3a26fd0341b83de

SHA512
9c48678ca011dd86b66e7a240edf21e7c2117e3f0cd25e3e993468c9628857c16e2d8d460bf965ae8b5037f9769b2e2f002c4ca07729d3bb12afdf859521530c

Download Submit
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1752-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-79-0x000000000048F888-mapping.dmp

Download
memory/1752-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1752-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1888-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads