darkcomet | b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

General

Target

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
Size

609KB
MD5

331da72e491868ab31ce11fe02f5bb15
SHA1

bfbf35096f56e92f08815487e1cbb088efaf31e9
SHA256

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a
SHA512

2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f
SSDEEP

12288:gzyFWnsipV73N8rA/gC+apkmvReK7E9zF9wTtTEC9NTvER+dZ07boQK1bhHl3:WfZpV7N8rA4i3Rak1JNLI+0oQ+hF

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

216.38.2.194:1608

Mutex

DC_MUTEX-B3GGRXH

Attributes

gencode
x22S1Hl5yBQe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

tmpCA1B.tmp.exe

pid process

2228 tmpCA1B.tmp.exe

pid	process
2228	tmpCA1B.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmpCA1B.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1709170799 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCA1B.tmp.exe\""	tmpCA1B.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

description	pid	process	target process
PID 4840 set thread context of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exetmpCA1B.tmp.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
Token: SeDebugPrivilege	2228	tmpCA1B.tmp.exe
Token: SeIncreaseQuotaPrivilege	1080	vbc.exe
Token: SeSecurityPrivilege	1080	vbc.exe
Token: SeTakeOwnershipPrivilege	1080	vbc.exe
Token: SeLoadDriverPrivilege	1080	vbc.exe
Token: SeSystemProfilePrivilege	1080	vbc.exe
Token: SeSystemtimePrivilege	1080	vbc.exe
Token: SeProfSingleProcessPrivilege	1080	vbc.exe
Token: SeIncBasePriorityPrivilege	1080	vbc.exe
Token: SeCreatePagefilePrivilege	1080	vbc.exe
Token: SeBackupPrivilege	1080	vbc.exe
Token: SeRestorePrivilege	1080	vbc.exe
Token: SeShutdownPrivilege	1080	vbc.exe
Token: SeDebugPrivilege	1080	vbc.exe
Token: SeSystemEnvironmentPrivilege	1080	vbc.exe
Token: SeChangeNotifyPrivilege	1080	vbc.exe
Token: SeRemoteShutdownPrivilege	1080	vbc.exe
Token: SeUndockPrivilege	1080	vbc.exe
Token: SeManageVolumePrivilege	1080	vbc.exe
Token: SeImpersonatePrivilege	1080	vbc.exe
Token: SeCreateGlobalPrivilege	1080	vbc.exe
Token: 33	1080	vbc.exe
Token: 34	1080	vbc.exe
Token: 35	1080	vbc.exe
Token: 36	1080	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1080 vbc.exe

pid	process
1080	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe

description	pid	process	target process
PID 4840 wrote to memory of 2228	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	tmpCA1B.tmp.exe
PID 4840 wrote to memory of 2228	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	tmpCA1B.tmp.exe
PID 4840 wrote to memory of 2228	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	tmpCA1B.tmp.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe
PID 4840 wrote to memory of 1080	4840	b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe
"C:\Users\Admin\AppData\Local\Temp\b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Local\Temp\tmpCA1B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCA1B.tmp.exe" /pq
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCA1B.tmp.exe
Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA1B.tmp.exe
Filesize
609KB

MD5
331da72e491868ab31ce11fe02f5bb15

SHA1
bfbf35096f56e92f08815487e1cbb088efaf31e9

SHA256
b4d1ddba5d16a8e7d588a47b82ae1edd515ce9a7fc49e2463711e230fe7efd0a

SHA512
2b3930150894fb1b6e3f41fd5edeb25f6a68de005a9a20bdd02418a190805a9291c6185d2f7a8e3e3d4a42cbec92fc29d69b76d4d4cd486dd75963ccd6e6c71f

Download Submit
memory/1080-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-152-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-150-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-139-0x0000000000000000-mapping.dmp

Download
memory/1080-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1080-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2228-134-0x0000000000000000-mapping.dmp

Download
memory/2228-138-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2228-137-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4840-132-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4840-151-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4840-133-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads