darkcomet | b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

General

Target

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
Size

609KB
MD5

331da72e491868ab31ce11fe02f5bb15
SHA1

bfbf35096f56e92f08815487e1cbb088efaf31e9
SHA256

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a
SHA512

2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f
SSDEEP

12288:gzyFWnsipV73N8rA/gC+apkmvReK7E9zF9wTtTEC9NTvER+dZ07boQK1bhHl3:WfZpV7N8rA4i3Rak1JNLI+0oQ+hF

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

216.38.2.194:1608

Mutex

DC_MUTEX-B3GGRXH

Attributes

gencode
x22S1Hl5yBQe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

tmp11FC.tmp.exe

pid process

892 tmp11FC.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

pid process

1368 b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
892	tmp11FC.tmp.exe

pid	process
1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp11FC.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\416396102 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp11FC.tmp.exe\""	tmp11FC.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

description pid process target process

PID 1368 set thread context of 680 1368 b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1368 set thread context of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exetmp11FC.tmp.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
Token: SeDebugPrivilege	892	tmp11FC.tmp.exe
Token: SeIncreaseQuotaPrivilege	680	vbc.exe
Token: SeSecurityPrivilege	680	vbc.exe
Token: SeTakeOwnershipPrivilege	680	vbc.exe
Token: SeLoadDriverPrivilege	680	vbc.exe
Token: SeSystemProfilePrivilege	680	vbc.exe
Token: SeSystemtimePrivilege	680	vbc.exe
Token: SeProfSingleProcessPrivilege	680	vbc.exe
Token: SeIncBasePriorityPrivilege	680	vbc.exe
Token: SeCreatePagefilePrivilege	680	vbc.exe
Token: SeBackupPrivilege	680	vbc.exe
Token: SeRestorePrivilege	680	vbc.exe
Token: SeShutdownPrivilege	680	vbc.exe
Token: SeDebugPrivilege	680	vbc.exe
Token: SeSystemEnvironmentPrivilege	680	vbc.exe
Token: SeChangeNotifyPrivilege	680	vbc.exe
Token: SeRemoteShutdownPrivilege	680	vbc.exe
Token: SeUndockPrivilege	680	vbc.exe
Token: SeManageVolumePrivilege	680	vbc.exe
Token: SeImpersonatePrivilege	680	vbc.exe
Token: SeCreateGlobalPrivilege	680	vbc.exe
Token: 33	680	vbc.exe
Token: 34	680	vbc.exe
Token: 35	680	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

680 vbc.exe

pid	process
680	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

description	pid	process	target process
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	tmp11FC.tmp.exe
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	tmp11FC.tmp.exe
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	tmp11FC.tmp.exe
PID 1368 wrote to memory of 892	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	tmp11FC.tmp.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 1368 wrote to memory of 680	1368	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
"C:\Users\Admin\AppData\Local\Temp\b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe" /pq
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe
Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe
Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp11FC.tmp.exe
Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
memory/680-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-90-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-86-0x000000000048F888-mapping.dmp

Download
memory/680-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/680-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/892-61-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1368-88-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-60-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads