darkcomet | c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d

General

Target

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe
Size

955KB
MD5

3aba0561bac692088a8124497b10bcc7
SHA1

d4bd0472181a1fd571b4524208bc10da22901b80
SHA256

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d
SHA512

844d49380b6c47f0295f33d2282aa9b0d877b5bea990a45c05530ef314bf0d7d060d4587895db944e4ca2688ea492d9863d96cf9bb19cb07a511fa88d7731a86
SSDEEP

24576:rdUvg0chwTjvBIvwaZQJniuL9W0pesrdc4jvU:rpKGoayZtd5nD

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcomet-reborn.no-ip.org:80

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
V7o8b6zx0d0d
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Local\\Temp\\win.exe"	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe

description	pid	process	target process
PID 1112 set thread context of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1828	vbc.exe
Token: SeSecurityPrivilege	1828	vbc.exe
Token: SeTakeOwnershipPrivilege	1828	vbc.exe
Token: SeLoadDriverPrivilege	1828	vbc.exe
Token: SeSystemProfilePrivilege	1828	vbc.exe
Token: SeSystemtimePrivilege	1828	vbc.exe
Token: SeProfSingleProcessPrivilege	1828	vbc.exe
Token: SeIncBasePriorityPrivilege	1828	vbc.exe
Token: SeCreatePagefilePrivilege	1828	vbc.exe
Token: SeBackupPrivilege	1828	vbc.exe
Token: SeRestorePrivilege	1828	vbc.exe
Token: SeShutdownPrivilege	1828	vbc.exe
Token: SeDebugPrivilege	1828	vbc.exe
Token: SeSystemEnvironmentPrivilege	1828	vbc.exe
Token: SeChangeNotifyPrivilege	1828	vbc.exe
Token: SeRemoteShutdownPrivilege	1828	vbc.exe
Token: SeUndockPrivilege	1828	vbc.exe
Token: SeManageVolumePrivilege	1828	vbc.exe
Token: SeImpersonatePrivilege	1828	vbc.exe
Token: SeCreateGlobalPrivilege	1828	vbc.exe
Token: 33	1828	vbc.exe
Token: 34	1828	vbc.exe
Token: 35	1828	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1828 vbc.exe

pid	process
1828	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exevbc.exe

description	pid	process	target process
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1112 wrote to memory of 1828	1112	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1828 wrote to memory of 1972	1828	vbc.exe	iexplore.exe
PID 1828 wrote to memory of 1972	1828	vbc.exe	iexplore.exe
PID 1828 wrote to memory of 1972	1828	vbc.exe	iexplore.exe
PID 1828 wrote to memory of 1972	1828	vbc.exe	iexplore.exe
PID 1828 wrote to memory of 916	1828	vbc.exe	explorer.exe
PID 1828 wrote to memory of 916	1828	vbc.exe	explorer.exe
PID 1828 wrote to memory of 916	1828	vbc.exe	explorer.exe
PID 1828 wrote to memory of 916	1828	vbc.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe
"C:\Users\Admin\AppData\Local\Temp\c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:1972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1112-72-0x0000000073FC0000-0x000000007456B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-60-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-70-0x0000000000490888-mapping.dmp

Download
memory/1828-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-64-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-58-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-69-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-74-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-75-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1828-76-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads