darkcomet | bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e

General

Target

bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
Size

519KB
MD5

0a576752b14445994e436a13e1d5f010
SHA1

ee7a1f32ac798dfbb11657e20ed240590bf6ef0b
SHA256

bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e
SHA512

704bdf6fb715d4b9579f6331e538c2bcdbea7b3c4541a1736838a632358fcbf3ca4070f6c5840636d3746507b7172332480b8669dbd602ea10662be54947e536
SSDEEP

12288:yiATy7mBkza8SK0Gs1QEqAXIMco0MbW4GkRklOVd4:lATh6ly1zXhcabWuklOb4

Score

10^/10

darkcomet hacked by mrchpap'persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HaCkeD By mrChpap'

C2

misteryou.zapto.org:1604

Mutex

DC_MUTEX-ZEHUWKF

Attributes

InstallPath
SVCHOST\svchost.exe
gencode
0onH4gcghlfP
install
true
offline_keylogger
true
persistence
true
reg_key
svchost

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\SVCHOST\\svchost.exe"	cvtres.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

896 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cvtres.exe

pid process

1764 cvtres.exe

pid	process
896	svchost.exe

pid	process
1764	cvtres.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\SVCHOST\\svchost.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe

description	pid	process	target process
PID 1184 set thread context of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe

Drops file in Windows directory 2 IoCs

Processes:

bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe

pid process

1184 bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe

pid	process
1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
Token: SeIncreaseQuotaPrivilege	1764	cvtres.exe
Token: SeSecurityPrivilege	1764	cvtres.exe
Token: SeTakeOwnershipPrivilege	1764	cvtres.exe
Token: SeLoadDriverPrivilege	1764	cvtres.exe
Token: SeSystemProfilePrivilege	1764	cvtres.exe
Token: SeSystemtimePrivilege	1764	cvtres.exe
Token: SeProfSingleProcessPrivilege	1764	cvtres.exe
Token: SeIncBasePriorityPrivilege	1764	cvtres.exe
Token: SeCreatePagefilePrivilege	1764	cvtres.exe
Token: SeBackupPrivilege	1764	cvtres.exe
Token: SeRestorePrivilege	1764	cvtres.exe
Token: SeShutdownPrivilege	1764	cvtres.exe
Token: SeDebugPrivilege	1764	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1764	cvtres.exe
Token: SeChangeNotifyPrivilege	1764	cvtres.exe
Token: SeRemoteShutdownPrivilege	1764	cvtres.exe
Token: SeUndockPrivilege	1764	cvtres.exe
Token: SeManageVolumePrivilege	1764	cvtres.exe
Token: SeImpersonatePrivilege	1764	cvtres.exe
Token: SeCreateGlobalPrivilege	1764	cvtres.exe
Token: 33	1764	cvtres.exe
Token: 34	1764	cvtres.exe
Token: 35	1764	cvtres.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.execvtres.exe

description	pid	process	target process
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1184 wrote to memory of 1764	1184	bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe	cvtres.exe
PID 1764 wrote to memory of 896	1764	cvtres.exe	svchost.exe
PID 1764 wrote to memory of 896	1764	cvtres.exe	svchost.exe
PID 1764 wrote to memory of 896	1764	cvtres.exe	svchost.exe
PID 1764 wrote to memory of 896	1764	cvtres.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe
"C:\Users\Admin\AppData\Local\Temp\bdf46f94b451498f3680e952becb43849fab7b685677737d566a474a7c34e78e.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\SVCHOST\svchost.exe
"C:\SVCHOST\svchost.exe"
3⤵
- Executes dropped EXE
PID:896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SVCHOST\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\SVCHOST\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/896-81-0x0000000000000000-mapping.dmp

Download
memory/1184-74-0x0000000000BE5000-0x0000000000BF6000-memory.dmp

Filesize
68KB

Download
memory/1184-55-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1184-77-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-76-0x0000000000BE5000-0x0000000000BF6000-memory.dmp

Filesize
68KB

Download
memory/1184-75-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-61-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-71-0x000000000048F888-mapping.dmp

Download
memory/1764-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-65-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-63-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-78-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-79-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1764-56-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads