darkcomet | 826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409

General

Target

826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe
Size

940KB
MD5

307852a8d7e874a16df0d3efc49e0c87
SHA1

e54f8f08d80ee47d5f0fcfc7be31e61d798002ab
SHA256

826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409
SHA512

dbf2262d601a4f9dcdba81243ed5289097f66e48d3cbca43aa135764972586d97cabc584ee49c14ba7cbc0b8f5cfe2cdde3fab31ba59a4be479160d506c106a2
SSDEEP

12288:82Z8gTi0KSZnsSTXu9EXrdd+KFBqeI4yDDeEFQmMi3KKhzWz78AZXpXCTlDJYD:H2gTiD0Z0E7dd+wBqeIv6EFQk9hzhUM

Score

10^/10

darkcomet guest16 evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

shawery.no-ip.org:1604

Mutex

DC_MUTEX-NREDHH8

Attributes

gencode
6r3tz7mBDSJf
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	vbc.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vbc.exe

Disables Task Manager via registry modification
evasion
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4408	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4408	vbc.exe
Token: SeSecurityPrivilege	4408	vbc.exe
Token: SeTakeOwnershipPrivilege	4408	vbc.exe
Token: SeLoadDriverPrivilege	4408	vbc.exe
Token: SeSystemProfilePrivilege	4408	vbc.exe
Token: SeSystemtimePrivilege	4408	vbc.exe
Token: SeProfSingleProcessPrivilege	4408	vbc.exe
Token: SeIncBasePriorityPrivilege	4408	vbc.exe
Token: SeCreatePagefilePrivilege	4408	vbc.exe
Token: SeBackupPrivilege	4408	vbc.exe
Token: SeRestorePrivilege	4408	vbc.exe
Token: SeShutdownPrivilege	4408	vbc.exe
Token: SeDebugPrivilege	4408	vbc.exe
Token: SeSystemEnvironmentPrivilege	4408	vbc.exe
Token: SeChangeNotifyPrivilege	4408	vbc.exe
Token: SeRemoteShutdownPrivilege	4408	vbc.exe
Token: SeUndockPrivilege	4408	vbc.exe
Token: SeManageVolumePrivilege	4408	vbc.exe
Token: SeImpersonatePrivilege	4408	vbc.exe
Token: SeCreateGlobalPrivilege	4408	vbc.exe
Token: 33	4408	vbc.exe
Token: 34	4408	vbc.exe
Token: 35	4408	vbc.exe
Token: 36	4408	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4408	vbc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78
PID 1656 wrote to memory of 4408	1656	826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe	78

C:\Users\Admin\AppData\Local\Temp\826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe
"C:\Users\Admin\AppData\Local\Temp\826e9f4b8e1013d6b4bb53858d9a714d54f7541ce4fc062807a982919fe8b409.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies security service
  - Windows security bypass
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-132-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/1656-137-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/4408-134-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4408-135-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4408-136-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4408-138-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4408-139-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads