darkcomet | 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504

General

Target

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
Size

742KB
MD5

3d9fb784d8bad35e1fc6f114092b0e61
SHA1

21950040713e37949c80b75e4c15fa6163ef67b2
SHA256

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504
SHA512

9c80a51a0849195f6cac34a8cba53229d05a900d29ba8a327418d5502ee559485b8b1637f07be43404fe737f29a669412e11ffd329b210f04ebd040493230f85
SSDEEP

12288:J08Xr7FoMtKhx92E7eosUsF4hxekb7NKiMRFhoE3KK1:m8b7FoGKX8KeosUO4hwktKbhou/1

Score

10^/10

darkcomet guest16 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

188.190.86.62:1604

Mutex

DC_MUTEX-W0U2X3G

Attributes

gencode
ApppNhBV8t9f
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

bac.exe

pid process

1496 bac.exe

pid	process
1496	bac.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

Loads dropped DLL 2 IoCs

Processes:

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

pid	process
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

description	pid	process	target process
PID 1216 set thread context of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

pid	process
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

bac.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1496	bac.exe
Token: SeSecurityPrivilege	1496	bac.exe
Token: SeTakeOwnershipPrivilege	1496	bac.exe
Token: SeLoadDriverPrivilege	1496	bac.exe
Token: SeSystemProfilePrivilege	1496	bac.exe
Token: SeSystemtimePrivilege	1496	bac.exe
Token: SeProfSingleProcessPrivilege	1496	bac.exe
Token: SeIncBasePriorityPrivilege	1496	bac.exe
Token: SeCreatePagefilePrivilege	1496	bac.exe
Token: SeBackupPrivilege	1496	bac.exe
Token: SeRestorePrivilege	1496	bac.exe
Token: SeShutdownPrivilege	1496	bac.exe
Token: SeDebugPrivilege	1496	bac.exe
Token: SeSystemEnvironmentPrivilege	1496	bac.exe
Token: SeChangeNotifyPrivilege	1496	bac.exe
Token: SeRemoteShutdownPrivilege	1496	bac.exe
Token: SeUndockPrivilege	1496	bac.exe
Token: SeManageVolumePrivilege	1496	bac.exe
Token: SeImpersonatePrivilege	1496	bac.exe
Token: SeCreateGlobalPrivilege	1496	bac.exe
Token: 33	1496	bac.exe
Token: 34	1496	bac.exe
Token: 35	1496	bac.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exebac.exe

pid process

1216 9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1496 bac.exe

pid	process
1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
1496	bac.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe

description	pid	process	target process
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1216 wrote to memory of 1244	1216	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
PID 1244 wrote to memory of 1496	1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	bac.exe
PID 1244 wrote to memory of 1496	1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	bac.exe
PID 1244 wrote to memory of 1496	1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	bac.exe
PID 1244 wrote to memory of 1496	1244	9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe	bac.exe

C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
"C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe
"C:\Users\Admin\AppData\Local\Temp\9d1e5cdd301370265effefd9d7332917a9f81148b9c5345e14cf4d7627b3e504.exe"
2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\bac.exe
"C:\Users\Admin\AppData\Local\Temp\bac.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bac.exe
Filesize
658KB

MD5
d37899867bdc4398f4f8d32970532df0

SHA1
0e9280bb97c025182cc5627b6b3c0f0285c3b3cb

SHA256
d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a

SHA512
6924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\bac.exe
Filesize
658KB

MD5
d37899867bdc4398f4f8d32970532df0

SHA1
0e9280bb97c025182cc5627b6b3c0f0285c3b3cb

SHA256
d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a

SHA512
6924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84

Download Submit
\Users\Admin\AppData\Local\Temp\bac.exe
Filesize
658KB

MD5
d37899867bdc4398f4f8d32970532df0

SHA1
0e9280bb97c025182cc5627b6b3c0f0285c3b3cb

SHA256
d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a

SHA512
6924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84

Download Submit
\Users\Admin\AppData\Local\Temp\bac.exe
Filesize
658KB

MD5
d37899867bdc4398f4f8d32970532df0

SHA1
0e9280bb97c025182cc5627b6b3c0f0285c3b3cb

SHA256
d82d52a01d5f2975d94e35866cb3af0123f9f7ab2668865e458832eace80e39a

SHA512
6924fac44bc33880bb731ba0a158e92d39aad1bd6d04d1484e3c2f33a4e6f6bd82d740c31923078dbcbc5755f4f6476fa7d1538cf9cd040f6689ea68e0528c84

Download Submit
memory/1244-61-0x00000000004FF1C0-mapping.dmp

Download
memory/1244-63-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-64-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-65-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-66-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1244-56-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-60-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-59-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-57-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-73-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1244-74-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1496-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads