darkcomet | 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad

General

Target

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
Size

1.5MB
MD5

9f846304ca03af9cd8c24364305f51d6
SHA1

bf0f159c9f477058f6f4b1af7c91b18a3bfc4d49
SHA256

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad
SHA512

d61ca65e9f0fec86f049f23b9913f7c56440b522a9636641e167f51b24cec36f6260d96905ecac1fdc28c1669094d6e574dcaa70d04ad3c3060912f437f1c77f
SSDEEP

24576:n/y/69r+q6e/2YeY+yTZ8h7IETl/GjNwBVSInELrKE0Wx8fglv/K:nKEiql2Y9iEGGjNxJXUIllv/K

Score

10^/10

darkcomet bot persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

bot

C2

canardwc.zapto.org:1604

Mutex

DC_MUTEX-VSDJA8C

Attributes

gencode
E9ARHzMPTXjL
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

patch.exepatch.exeCRACK_~1.EXE

pid process

2864 patch.exe
1588 patch.exe
520 CRACK_~1.EXE

pid	process
2864	patch.exe
1588	patch.exe
520	CRACK_~1.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
behavioral2/memory/2864-144-0x0000000000400000-0x000000000067E000-memory.dmp	upx
behavioral2/memory/2864-146-0x0000000000400000-0x000000000067E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecran = "\"\\.exeTrue\""	patch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

patch.exe

description pid process target process

PID 2864 set thread context of 1588 2864 patch.exe patch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2864 set thread context of 1588	2864	patch.exe	patch.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

patch.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1588	patch.exe
Token: SeSecurityPrivilege	1588	patch.exe
Token: SeTakeOwnershipPrivilege	1588	patch.exe
Token: SeLoadDriverPrivilege	1588	patch.exe
Token: SeSystemProfilePrivilege	1588	patch.exe
Token: SeSystemtimePrivilege	1588	patch.exe
Token: SeProfSingleProcessPrivilege	1588	patch.exe
Token: SeIncBasePriorityPrivilege	1588	patch.exe
Token: SeCreatePagefilePrivilege	1588	patch.exe
Token: SeBackupPrivilege	1588	patch.exe
Token: SeRestorePrivilege	1588	patch.exe
Token: SeShutdownPrivilege	1588	patch.exe
Token: SeDebugPrivilege	1588	patch.exe
Token: SeSystemEnvironmentPrivilege	1588	patch.exe
Token: SeChangeNotifyPrivilege	1588	patch.exe
Token: SeRemoteShutdownPrivilege	1588	patch.exe
Token: SeUndockPrivilege	1588	patch.exe
Token: SeManageVolumePrivilege	1588	patch.exe
Token: SeImpersonatePrivilege	1588	patch.exe
Token: SeCreateGlobalPrivilege	1588	patch.exe
Token: 33	1588	patch.exe
Token: 34	1588	patch.exe
Token: 35	1588	patch.exe
Token: 36	1588	patch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

patch.exe

pid process

1588 patch.exe

pid	process
1588	patch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exe

description	pid	process	target process
PID 1508 wrote to memory of 2864	1508	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1508 wrote to memory of 2864	1508	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1508 wrote to memory of 2864	1508	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 2864 wrote to memory of 1588	2864	patch.exe	patch.exe
PID 1508 wrote to memory of 520	1508	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1508 wrote to memory of 520	1508	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1508 wrote to memory of 520	1508	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE

C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
"C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
2⤵
- Executes dropped EXE
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
Filesize
1.0MB

MD5
8a2b12a27fdf10348d290d79f9ec9e79

SHA1
13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

SHA256
a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

SHA512
4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
Filesize
1.0MB

MD5
8a2b12a27fdf10348d290d79f9ec9e79

SHA1
13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

SHA256
a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

SHA512
4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
memory/520-147-0x0000000000000000-mapping.dmp

Download
memory/1588-139-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1588-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1588-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1588-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1588-138-0x0000000000000000-mapping.dmp

Download
memory/1588-150-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1588-151-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-144-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2864-146-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2864-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads