darkcomet | b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874

Analysis

max time kernel
256s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
Size

514KB
MD5

db3160e357420f805f554a593171eaf1
SHA1

f7b3bca65953e9f9965634e778c95af250d585c3
SHA256

b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874
SHA512

a3e80b118129f9cd8a2e0eadb186455ce44cf1eeb4f3c292d692922af762702cda0077862e8b1a5c7fcac43d60e2b8a71a2713927870c3c35e34957737528170
SSDEEP

12288:/YQpuKMf6NF5s/GA34LzKtDzNZbNlZlb5uplce:LuKMf6D54F34LevbNl75uT

Score

10^/10

darkcomet malay evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

malay

myzaki.zapto.org:80

myzaki.zapto.org:81

myzaki.zapto.org:82

myzaki.zapto.org:83

myzaki.zapto.org:84

myzaki.zapto.org:85

myzaki.zapto.org:5050

Mutex

DC_MUTEX-LF08XVX

Attributes

InstallPath
skype\skype.exe
gencode
krp31zzMQMFc
install
true
offline_keylogger
true
persistence
true
reg_key
Skype

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\skype\\skype.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
1568	skype.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
432	attrib.exe
1816	attrib.exe

Loads dropped DLL 1 IoCs

pid	Process
564	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Update = "C:\\Users\\Admin\\AppData\\Roaming\\Win Update.exe"	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Windows\\system32\\skype\\skype.exe"	vbc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\skype\	vbc.exe
File created	C:\Windows\SysWOW64\skype\skype.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\skype\skype.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	564	vbc.exe
Token: SeSecurityPrivilege	564	vbc.exe
Token: SeTakeOwnershipPrivilege	564	vbc.exe
Token: SeLoadDriverPrivilege	564	vbc.exe
Token: SeSystemProfilePrivilege	564	vbc.exe
Token: SeSystemtimePrivilege	564	vbc.exe
Token: SeProfSingleProcessPrivilege	564	vbc.exe
Token: SeIncBasePriorityPrivilege	564	vbc.exe
Token: SeCreatePagefilePrivilege	564	vbc.exe
Token: SeBackupPrivilege	564	vbc.exe
Token: SeRestorePrivilege	564	vbc.exe
Token: SeShutdownPrivilege	564	vbc.exe
Token: SeDebugPrivilege	564	vbc.exe
Token: SeSystemEnvironmentPrivilege	564	vbc.exe
Token: SeChangeNotifyPrivilege	564	vbc.exe
Token: SeRemoteShutdownPrivilege	564	vbc.exe
Token: SeUndockPrivilege	564	vbc.exe
Token: SeManageVolumePrivilege	564	vbc.exe
Token: SeImpersonatePrivilege	564	vbc.exe
Token: SeCreateGlobalPrivilege	564	vbc.exe
Token: 33	564	vbc.exe
Token: 34	564	vbc.exe
Token: 35	564	vbc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 540 wrote to memory of 564	540	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	28
PID 564 wrote to memory of 1364	564	vbc.exe	29
PID 564 wrote to memory of 1364	564	vbc.exe	29
PID 564 wrote to memory of 1364	564	vbc.exe	29
PID 564 wrote to memory of 1364	564	vbc.exe	29
PID 564 wrote to memory of 1820	564	vbc.exe	31
PID 564 wrote to memory of 1820	564	vbc.exe	31
PID 564 wrote to memory of 1820	564	vbc.exe	31
PID 564 wrote to memory of 1820	564	vbc.exe	31
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 1364 wrote to memory of 1816	1364	cmd.exe	35
PID 1364 wrote to memory of 1816	1364	cmd.exe	35
PID 1364 wrote to memory of 1816	1364	cmd.exe	35
PID 1364 wrote to memory of 1816	1364	cmd.exe	35
PID 1820 wrote to memory of 432	1820	cmd.exe	34
PID 1820 wrote to memory of 432	1820	cmd.exe	34
PID 1820 wrote to memory of 432	1820	cmd.exe	34
PID 1820 wrote to memory of 432	1820	cmd.exe	34
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1672	564	vbc.exe	32
PID 564 wrote to memory of 1568	564	vbc.exe	36
PID 564 wrote to memory of 1568	564	vbc.exe	36
PID 564 wrote to memory of 1568	564	vbc.exe	36
PID 564 wrote to memory of 1568	564	vbc.exe	36

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
432	attrib.exe
1816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
"C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:432
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\skype\skype.exe
    "C:\Windows\system32\skype\skype.exe"
    3⤵
    - Executes dropped EXE
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\skype\skype.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\skype\skype.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windows\SysWOW64\skype\skype.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/540-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/540-55-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/540-75-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/564-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/564-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads