darkcomet | b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
Size

514KB
MD5

db3160e357420f805f554a593171eaf1
SHA1

f7b3bca65953e9f9965634e778c95af250d585c3
SHA256

b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874
SHA512

a3e80b118129f9cd8a2e0eadb186455ce44cf1eeb4f3c292d692922af762702cda0077862e8b1a5c7fcac43d60e2b8a71a2713927870c3c35e34957737528170
SSDEEP

12288:/YQpuKMf6NF5s/GA34LzKtDzNZbNlZlb5uplce:LuKMf6D54F34LevbNl75uT

Score

10^/10

darkcomet malay evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

malay

myzaki.zapto.org:80

myzaki.zapto.org:81

myzaki.zapto.org:82

myzaki.zapto.org:83

myzaki.zapto.org:84

myzaki.zapto.org:85

myzaki.zapto.org:5050

Mutex

DC_MUTEX-LF08XVX

Attributes

InstallPath
skype\skype.exe
gencode
krp31zzMQMFc
install
true
offline_keylogger
true
persistence
true
reg_key
Skype

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\skype\\skype.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	skype.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
2292	attrib.exe
1564	attrib.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Update = "C:\\Users\\Admin\\AppData\\Roaming\\Win Update.exe"	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Windows\\system32\\skype\\skype.exe"	vbc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\skype\skype.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\skype\	vbc.exe
File created	C:\Windows\SysWOW64\skype\skype.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1004	vbc.exe
Token: SeSecurityPrivilege	1004	vbc.exe
Token: SeTakeOwnershipPrivilege	1004	vbc.exe
Token: SeLoadDriverPrivilege	1004	vbc.exe
Token: SeSystemProfilePrivilege	1004	vbc.exe
Token: SeSystemtimePrivilege	1004	vbc.exe
Token: SeProfSingleProcessPrivilege	1004	vbc.exe
Token: SeIncBasePriorityPrivilege	1004	vbc.exe
Token: SeCreatePagefilePrivilege	1004	vbc.exe
Token: SeBackupPrivilege	1004	vbc.exe
Token: SeRestorePrivilege	1004	vbc.exe
Token: SeShutdownPrivilege	1004	vbc.exe
Token: SeDebugPrivilege	1004	vbc.exe
Token: SeSystemEnvironmentPrivilege	1004	vbc.exe
Token: SeChangeNotifyPrivilege	1004	vbc.exe
Token: SeRemoteShutdownPrivilege	1004	vbc.exe
Token: SeUndockPrivilege	1004	vbc.exe
Token: SeManageVolumePrivilege	1004	vbc.exe
Token: SeImpersonatePrivilege	1004	vbc.exe
Token: SeCreateGlobalPrivilege	1004	vbc.exe
Token: 33	1004	vbc.exe
Token: 34	1004	vbc.exe
Token: 35	1004	vbc.exe
Token: 36	1004	vbc.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 4988 wrote to memory of 1004	4988	b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe	81
PID 1004 wrote to memory of 4132	1004	vbc.exe	82
PID 1004 wrote to memory of 4132	1004	vbc.exe	82
PID 1004 wrote to memory of 4132	1004	vbc.exe	82
PID 1004 wrote to memory of 2768	1004	vbc.exe	84
PID 1004 wrote to memory of 2768	1004	vbc.exe	84
PID 1004 wrote to memory of 2768	1004	vbc.exe	84
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 1004 wrote to memory of 4136	1004	vbc.exe	85
PID 4132 wrote to memory of 1564	4132	cmd.exe	88
PID 4132 wrote to memory of 1564	4132	cmd.exe	88
PID 4132 wrote to memory of 1564	4132	cmd.exe	88
PID 2768 wrote to memory of 2292	2768	cmd.exe	87
PID 2768 wrote to memory of 2292	2768	cmd.exe	87
PID 2768 wrote to memory of 2292	2768	cmd.exe	87
PID 1004 wrote to memory of 4820	1004	vbc.exe	89
PID 1004 wrote to memory of 4820	1004	vbc.exe	89
PID 1004 wrote to memory of 4820	1004	vbc.exe	89

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1564	attrib.exe
2292	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
"C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2292
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\skype\skype.exe
    "C:\Windows\system32\skype\skype.exe"
    3⤵
    - Executes dropped EXE
    PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\skype\skype.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\SysWOW64\skype\skype.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1004-134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1004-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1004-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1004-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1004-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4988-132-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4988-137-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads