darkcomet | b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

General

Target

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
Size

609KB
MD5

331da72e491868ab31ce11fe02f5bb15
SHA1

bfbf35096f56e92f08815487e1cbb088efaf31e9
SHA256

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a
SHA512

2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f
SSDEEP

12288:gzyFWnsipV73N8rA/gC+apkmvReK7E9zF9wTtTEC9NTvER+dZ07boQK1bhHl3:WfZpV7N8rA4i3Rak1JNLI+0oQ+hF

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

216.38.2.194:1608

Mutex

DC_MUTEX-B3GGRXH

Attributes

gencode
x22S1Hl5yBQe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
892	tmp11FC.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\416396102 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp11FC.tmp.exe\""	tmp11FC.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
Token: SeDebugPrivilege	892	tmp11FC.tmp.exe
Token: SeIncreaseQuotaPrivilege	680	vbc.exe
Token: SeSecurityPrivilege	680	vbc.exe
Token: SeTakeOwnershipPrivilege	680	vbc.exe
Token: SeLoadDriverPrivilege	680	vbc.exe
Token: SeSystemProfilePrivilege	680	vbc.exe
Token: SeSystemtimePrivilege	680	vbc.exe
Token: SeProfSingleProcessPrivilege	680	vbc.exe
Token: SeIncBasePriorityPrivilege	680	vbc.exe
Token: SeCreatePagefilePrivilege	680	vbc.exe
Token: SeBackupPrivilege	680	vbc.exe
Token: SeRestorePrivilege	680	vbc.exe
Token: SeShutdownPrivilege	680	vbc.exe
Token: SeDebugPrivilege	680	vbc.exe
Token: SeSystemEnvironmentPrivilege	680	vbc.exe
Token: SeChangeNotifyPrivilege	680	vbc.exe
Token: SeRemoteShutdownPrivilege	680	vbc.exe
Token: SeUndockPrivilege	680	vbc.exe
Token: SeManageVolumePrivilege	680	vbc.exe
Token: SeImpersonatePrivilege	680	vbc.exe
Token: SeCreateGlobalPrivilege	680	vbc.exe
Token: 33	680	vbc.exe
Token: 34	680	vbc.exe
Token: 35	680	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
680	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	27
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	27
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	27
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	27
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	28

C:\Users\Admin\AppData\Local\Temp\b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
"C:\Users\Admin\AppData\Local\Temp\b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe" /pq
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe

Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe

Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe

Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
memory/680-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-90-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-86-0x000000000048F888-mapping.dmp

Download
memory/680-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/892-61-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1368-88-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-60-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing