darkcomet | 86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe
Size

418KB
MD5

bf67fdf8fe29e6ec7308291511249a6e
SHA1

b73c218ad338e3e8be83ef51e30c4f510e1d877c
SHA256

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a
SHA512

11a13d788bdd8f34fd5bf852a090f2e7a96e18805da34d4d7d8ae94fdf494a4ee45601f43ea5fe2ba407c3776f81bb8ededa2a320d2390bf997b61a01ba74364
SSDEEP

12288:dey7BmWevJzUEWTBJ6fJGZ4JQLvISG6Ly1KsoPATVh9F4:dV7BmhzUEWCfJGRLn8Kj

Score

10^/10

darkcomet 1st persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

1ST

imohi999.zapto.org:1604

Mutex

DC_MUTEX-6F9QUAU

Attributes

gencode
laeZe1tFmb5q
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/492-157-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/492-158-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/492-159-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/492-163-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/492-162-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/492-161-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/492-164-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xKfDLGMrkFHNie = "C:\\Users\\Admin\\AppData\\Roaming\\FfABsZaVqmgsyb.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe

description	pid	process	target process
PID 5056 set thread context of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 set thread context of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\FfABsZaVqmgsyb.exe:ZONE.identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\FfABsZaVqmgsyb.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe
Token: SeIncreaseQuotaPrivilege	492	vbc.exe
Token: SeSecurityPrivilege	492	vbc.exe
Token: SeTakeOwnershipPrivilege	492	vbc.exe
Token: SeLoadDriverPrivilege	492	vbc.exe
Token: SeSystemProfilePrivilege	492	vbc.exe
Token: SeSystemtimePrivilege	492	vbc.exe
Token: SeProfSingleProcessPrivilege	492	vbc.exe
Token: SeIncBasePriorityPrivilege	492	vbc.exe
Token: SeCreatePagefilePrivilege	492	vbc.exe
Token: SeBackupPrivilege	492	vbc.exe
Token: SeRestorePrivilege	492	vbc.exe
Token: SeShutdownPrivilege	492	vbc.exe
Token: SeDebugPrivilege	492	vbc.exe
Token: SeSystemEnvironmentPrivilege	492	vbc.exe
Token: SeChangeNotifyPrivilege	492	vbc.exe
Token: SeRemoteShutdownPrivilege	492	vbc.exe
Token: SeUndockPrivilege	492	vbc.exe
Token: SeManageVolumePrivilege	492	vbc.exe
Token: SeImpersonatePrivilege	492	vbc.exe
Token: SeCreateGlobalPrivilege	492	vbc.exe
Token: 33	492	vbc.exe
Token: 34	492	vbc.exe
Token: 35	492	vbc.exe
Token: 36	492	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1444 vbc.exe
492 vbc.exe

pid	process
1444	vbc.exe
492	vbc.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exevbc.exevbc.exe

description	pid	process	target process
PID 5056 wrote to memory of 648	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 648	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 648	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 648 wrote to memory of 5080	648	vbc.exe	cvtres.exe
PID 648 wrote to memory of 5080	648	vbc.exe	cvtres.exe
PID 648 wrote to memory of 5080	648	vbc.exe	cvtres.exe
PID 5056 wrote to memory of 4940	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 4940	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 4940	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 4940 wrote to memory of 2956	4940	vbc.exe	cvtres.exe
PID 4940 wrote to memory of 2956	4940	vbc.exe	cvtres.exe
PID 4940 wrote to memory of 2956	4940	vbc.exe	cvtres.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 1444	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 2988	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	cmd.exe
PID 5056 wrote to memory of 2988	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	cmd.exe
PID 5056 wrote to memory of 2988	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	cmd.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe
PID 5056 wrote to memory of 492	5056	86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe
"C:\Users\Admin\AppData\Local\Temp\86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifa17tua.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8462FDD245284B8CBEF4F7D3C295E4EC.TMP"
3⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nbefdr6l.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC2A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92F858F187964F968397A6C4CB3F4AF.TMP"
3⤵
PID:2956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:2988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEAB3.tmp
Filesize
1KB

MD5
c35d6b7dc5989345b14756f141b42e98

SHA1
63715ef8e31558b4cbe0dfc9d0de0bd7d5d1f50f

SHA256
b283b2ecb85ff40f0de654cd3d78d9679e5b9b8fa7f359a6582f5a92fcbd6302

SHA512
7eeba894245f3825bb03143c8ef3f9806e37625565b7884e3b88d2e57320e6c86aca7f97907dd287773e46623aca67eeeeafe8ae322d88d04c72566e3436cdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC2A.tmp
Filesize
1KB

MD5
3f4ed10d9dad76ba89d7e8b84c7ec599

SHA1
a0e0350d770cbf113ded47fc3317b869081bbbd8

SHA256
f6987e465f38cc5e5cb9fdc577607ce89f9073cf120c51ceb752be3821c80a24

SHA512
702e1ee1d55114de5f8b0b3e3cca2ba2336b817276059ce03f4a96cf58dbe8abf33c3908b54101659052baf8190398cbb356ce014e0d508175c82f18c267f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifa17tua.0.vb
Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifa17tua.cmdline
Filesize
317B

MD5
75270e5490370a363f1b50666de20457

SHA1
a402ba3819b7b352b54aff6585db5dc5c22ba083

SHA256
8647831a19e7dd4cf55e18af699e88a184436a3f9db0d05e787a047682c5d27b

SHA512
264910a7fa98f134858e2fa467e891534f31cfaaafe13f7b177644020a1aeb5b9d6024285c2dc8a729c56cfafcfecd6584766807bd3ddfb8a31551dfef13fda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifa17tua.dll
Filesize
6KB

MD5
5dc01abe3ad9b84112ef9d3cd9a9e420

SHA1
4a51a01e76531df78457221873c4b91bddb654c0

SHA256
6c16f9a1988533aab63c4a0af354ab11714f27290f46b385d24a4560160ffe5a

SHA512
231fbd80032b6464c4457b32f6def5cd1443c6a2b82896785ecef5d4c82be477ed9f591108600dda4ba44c83c51644186a4926148b509e733d2fd5fb7b6bae4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbefdr6l.0.vb
Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbefdr6l.cmdline
Filesize
317B

MD5
7ed6746edf97a4d67525c415e33c89d7

SHA1
9a4837a2ce3b1b507ffcc2ca2aedafabf9e978ff

SHA256
3f30973284d3c3f859e4668a3fd1c3f9342fc20640046f65298a6b0e40124b19

SHA512
5f5eda1c502ea98217b0519f4f6d25777bd525e4cc24b7fe4c1b752fae7653c9d47b5d3ef3d38435b14cda9a4e461e2b719dee2bfd97c893d079979893ac9580

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbefdr6l.dll
Filesize
6KB

MD5
3914b130fac9f013eb0a41083156b17b

SHA1
7c59e09fdb86a0a66bb449e39e9e51e3a2887517

SHA256
84a55e0fa952eeac5fc607221897784ec2246628453ffdc1df4eca8f517eeba3

SHA512
d1f5ca43bd110a810a6d572c106eb897b1aaee6335bd6d21ea98ca89ed8bb64c1916be88607bacee4bf7f5070cc29c9d3bc95e4e0d2afacb0746d47211a52d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8462FDD245284B8CBEF4F7D3C295E4EC.TMP
Filesize
652B

MD5
1203d4eac4d2ce446324d2cf1c75b11d

SHA1
fe30537d24bb297e9264265dd07ccd81154e0e87

SHA256
2d8510e05aa645a46c54346adaff943a5a37ab9ed580c99a749065074d238935

SHA512
771d3f1da3d2f7d7f0bba87112c94be8cf951963f9f29dbc51b57ec6932265781382e5b1bb0b5411fe3a3b471cbf279f431f4b953b6ebf9a026b7ea335b6bc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92F858F187964F968397A6C4CB3F4AF.TMP
Filesize
652B

MD5
e6ffe1434aa5bf2062bf4b2634c62d50

SHA1
2dc725a4a722d7c4f79bcc28b2fc859b0fe768ee

SHA256
1b32c573a9fb70a1b4f7c02b41c8d36a9fb2e85639d64c26d510d1ea8e133f31

SHA512
96bfb077c51004ba4ae4ab3b3fc859186016c7482803ce1f846be2c2d477ac2a290929564e764e525ba47d925f761295dbe150189ad30e41a213f6a5add4a685

Download Submit
C:\Users\Admin\AppData\Roaming\FfABsZaVqmgsyb.exe
Filesize
418KB

MD5
bf67fdf8fe29e6ec7308291511249a6e

SHA1
b73c218ad338e3e8be83ef51e30c4f510e1d877c

SHA256
86c277d8dc9db1a266d0e1bd6532998d29193d566d7c2d43da7619c0a90f412a

SHA512
11a13d788bdd8f34fd5bf852a090f2e7a96e18805da34d4d7d8ae94fdf494a4ee45601f43ea5fe2ba407c3776f81bb8ededa2a320d2390bf997b61a01ba74364

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt
Filesize
134B

MD5
410fd1b0ed3c1476b9711734e07d056a

SHA1
fcb214374b2248ca381c4c1606492fb0c1661740

SHA256
4a94fffcb546b61aa2e5ce0051c5c8a70cd3a678808809d17c63bd4c705753f0

SHA512
28ad56bb14e677c2e8d270fda31d4b62833fb8fb169462f9d7b9e1adc32e396f4ce66de282874c6fe2b8c1b2752e5c221428252566fed521950c2fd2ffd924b4

Download Submit
memory/492-158-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/492-163-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/492-164-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/492-161-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/492-156-0x0000000000000000-mapping.dmp

Download
memory/492-157-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/492-162-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/492-159-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/648-133-0x0000000000000000-mapping.dmp

Download
memory/1444-147-0x0000000000000000-mapping.dmp

Download
memory/1444-148-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1444-155-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2956-143-0x0000000000000000-mapping.dmp

Download
memory/2988-152-0x0000000000000000-mapping.dmp

Download
memory/4940-140-0x0000000000000000-mapping.dmp

Download
memory/5056-160-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/5056-132-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/5080-136-0x0000000000000000-mapping.dmp

Download