darkcomet | f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e

Analysis

max time kernel
168s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
Size

1024KB
MD5

039543b29918a1800c8e0e8c9d9ba7d0
SHA1

145769085294b822ff2c805428246795878bbc62
SHA256

f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e
SHA512

d3328f9cd60dcbd029371b56d4b98002a624d3d2ba56b9e707d7a101b8dce81e2761159ecaa8ed51b6ced60ab832522ac6bdb8a197f3fa79797d9aa70f5b5df7
SSDEEP

24576:NdlX2joBPourq9FcX59bowZVuybDjpc/UGR/eGKuYmVUdYb6HRUf:tmFu29Fcp9bowbuy/S/71QuVhOM

Score

10^/10

darkcomet s4ndy rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

S4NDY

kissmyarse.no-ip.biz:5466

Mutex

RLG3J8R6JRP0QA

Attributes

gencode
qYEmNxplwd2o
install
false
offline_keylogger
true
password
9845619822
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	85

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
File created	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
Token: SeIncreaseQuotaPrivilege	3656	vbc.exe
Token: SeSecurityPrivilege	3656	vbc.exe
Token: SeTakeOwnershipPrivilege	3656	vbc.exe
Token: SeLoadDriverPrivilege	3656	vbc.exe
Token: SeSystemProfilePrivilege	3656	vbc.exe
Token: SeSystemtimePrivilege	3656	vbc.exe
Token: SeProfSingleProcessPrivilege	3656	vbc.exe
Token: SeIncBasePriorityPrivilege	3656	vbc.exe
Token: SeCreatePagefilePrivilege	3656	vbc.exe
Token: SeBackupPrivilege	3656	vbc.exe
Token: SeRestorePrivilege	3656	vbc.exe
Token: SeShutdownPrivilege	3656	vbc.exe
Token: SeDebugPrivilege	3656	vbc.exe
Token: SeSystemEnvironmentPrivilege	3656	vbc.exe
Token: SeChangeNotifyPrivilege	3656	vbc.exe
Token: SeRemoteShutdownPrivilege	3656	vbc.exe
Token: SeUndockPrivilege	3656	vbc.exe
Token: SeManageVolumePrivilege	3656	vbc.exe
Token: SeImpersonatePrivilege	3656	vbc.exe
Token: SeCreateGlobalPrivilege	3656	vbc.exe
Token: 33	3656	vbc.exe
Token: 34	3656	vbc.exe
Token: 35	3656	vbc.exe
Token: 36	3656	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3656	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	85
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	85
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	85
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	85
PID 1460 wrote to memory of 3656	1460	f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe	85

C:\Users\Admin\AppData\Local\Temp\f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe
"C:\Users\Admin\AppData\Local\Temp\f285d4bb56b1a4e14579d749e5d6b3d722840a56710e8967a643f3db6545b25e.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-132-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/1460-137-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3656-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-135-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-138-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3656-139-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download