darkcomet | f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e

Analysis

max time kernel
168s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
Size

1024KB
MD5

039543b29918a1800c8e0e8c9d9ba7d0
SHA1

145769085294b822ff2c805428246795878bbc62
SHA256

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e
SHA512

d3328f9cd60dcbd029371b56d4b98002a624d3d2ba56b9e707d7a101b8dce81e2761159ecaa8ed51b6ced60ab832522ac6bdb8a197f3fa79797d9aa70f5b5df7
SSDEEP

24576:NdlX2joBPourq9FcX59bowZVuybDjpc/UGR/eGKuYmVUdYb6HRUf:tmFu29Fcp9bowbuy/S/71QuVhOM

Score

10^/10

darkcomet s4ndy rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

S4NDY

kissmyarse.no-ip.biz:5466

Mutex

RLG3J8R6JRP0QA

Attributes

gencode
qYEmNxplwd2o
install
false
offline_keylogger
true
password
9845619822
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops desktop.ini file(s) 2 IoCs

Processes:

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

description	pid	process	target process
PID 1460 set thread context of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
File created	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
Token: SeIncreaseQuotaPrivilege	3656	vbc.exe
Token: SeSecurityPrivilege	3656	vbc.exe
Token: SeTakeOwnershipPrivilege	3656	vbc.exe
Token: SeLoadDriverPrivilege	3656	vbc.exe
Token: SeSystemProfilePrivilege	3656	vbc.exe
Token: SeSystemtimePrivilege	3656	vbc.exe
Token: SeProfSingleProcessPrivilege	3656	vbc.exe
Token: SeIncBasePriorityPrivilege	3656	vbc.exe
Token: SeCreatePagefilePrivilege	3656	vbc.exe
Token: SeBackupPrivilege	3656	vbc.exe
Token: SeRestorePrivilege	3656	vbc.exe
Token: SeShutdownPrivilege	3656	vbc.exe
Token: SeDebugPrivilege	3656	vbc.exe
Token: SeSystemEnvironmentPrivilege	3656	vbc.exe
Token: SeChangeNotifyPrivilege	3656	vbc.exe
Token: SeRemoteShutdownPrivilege	3656	vbc.exe
Token: SeUndockPrivilege	3656	vbc.exe
Token: SeManageVolumePrivilege	3656	vbc.exe
Token: SeImpersonatePrivilege	3656	vbc.exe
Token: SeCreateGlobalPrivilege	3656	vbc.exe
Token: 33	3656	vbc.exe
Token: 34	3656	vbc.exe
Token: 35	3656	vbc.exe
Token: 36	3656	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

3656 vbc.exe

pid	process
3656	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

description	pid	process	target process
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	vbc.exe
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	vbc.exe
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	vbc.exe
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	vbc.exe
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
"C:\Users\Admin\AppData\Local\Temp\f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-132-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1460-137-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3656-133-0x0000000000000000-mapping.dmp

Download
memory/3656-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-135-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-138-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-139-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download